Horde arbitrary file inclusion vulnerability

Discussion in 'Linux VPS/Dedicated - cPanel' started by KH-Paul, Mar 6, 2008.

  1. KH-Paul

    KH-Paul CTO Staff Member

    The following notification was just received from cPanel:
    *************************
    An arbitrary file inclusion vulnerability has been discovered in the Horde
    webmail application. At present, we can confirm that this security
    vulnerability in question affects Horde 3.1.6 and earlier. Based on
    incomplete information at this time, we also believe this affects Horde
    Groupware 1.0.4 and earlier as well (cPanel does not use Horde Groupware
    at this time).

    cPanel customers should update their cPanel and WHM servers immediately to
    prevent any chance of compromise. The patch will be available in builds
    11.18.2 and greater (or 11.19.2 and greater for EDGE systems). The updated
    builds will be available immediately to all fast update servers. The
    builds will be available to all other update servers within one hour of
    this posting.


    To check which version of cPanel and WHM is on your server, simply log
    into WebHost Manager (WHM) and look in the top right corner, or execute
    the following command from the command line as root:

    /usr/local/cpanel/cpanel -V

    You can upgrade your server by navigating to 'cPanel' -> 'Upgrade to
    Latest Version' in WebHost Manager or by executing the following from the
    command line as root:

    /scripts/upcp


    It is recommended that all use of Horde 3.1.6 and earlier be stopped (on
    cPanel and non-cPanel systems alike) until Horde updates can be applied.
    You can disable Horde on your cPanel system by unchecking the box next to
    'Server Configuration' -> 'Tweak Settings' -> 'Mail' -> 'Horde Webmail'
    within WHM, and saving the page with the new settings.


    We would like to thank HostGator for providing the initial details in
    their report of this vulnerability.
    *************************
     
  2. KH-Paul

    KH-Paul CTO Staff Member

    Please feel free to submit a support ticket at https://support.knownhost.com/ requesting assistance with cPanel update installation if you experience any problems using update functionality available at WHM >> cPanel >> Upgrade to Latest Version.
     
  3. ppc

    ppc Moderator

    Paul,

    While I was watching it perform the upgrade, Firefox crashed. Would the upgrade still have continued on successfully?
     
  4. KH-Paul

    KH-Paul CTO Staff Member

    Josh,

    Shouldn't be a big deal. upcp will keep running in background even if browser window is closed. Give it 10-15 minutes and then check cPanel version in right top corner of your WHM to confirm that update was installed.
     
  5. ppc

    ppc Moderator

    What version should it be?
     
  6. KH-Paul

    KH-Paul CTO Staff Member

    ...
    The patch will be available in builds 11.18.2 and greater (or 11.19.2 and greater for EDGE systems)
    ...
     
  7. ppc

    ppc Moderator

    Gotcha ;) Thanks Paul.
     
  8. drwhit73

    drwhit73 Member

    I got the same e-mail from cPanel and updated mine. Thanks for posting this.
     
  9. Mr. Bahaa Ahmed

    Mr. Bahaa Ahmed New Member

    same here but thanks to tell us :)
     
  10. KH-Paul

    KH-Paul CTO Staff Member

    The following update was received from cPanel:

    *************************
    Summary:
    The Horde webmail application framework has been updated to 3.1.7. Upgrades have
    been made in cPanel's PHP application security model.

    Description:
    The Horde webmail application framework has been updated to 3.1.7 for the official
    fix to the previously announced arbitrary file inclusion vulnerability. cPanel has
    also made upgrades in cPanel's PHP application security model for Horde,
    PHPMyAdmin, and PHPPGAdmin. These upgrades have been made to minimize or mitigate
    undiscovered vulnerabilities in these third-party applications while running within
    a cPanel installation.

    Fix Details:
    It is recommended that all cPanel servers running Horde be updated to either
    cPanel 11.18.3 or cPanel 11.19.3. If you do not wish to update cPanel, it is
    strongly recommended that you keep horde disabled until these updates have been
    applied. You can disable horde on your cPanel system by unchecking WHM ->
    Server Configuration -> Tweak Settings -> Mail -> Horde Webmail, and saving with
    the new settings.

    You can check your current version of cPanel by executing:
    /usr/local/cpanel/cpanel -V

    Updates can be run via the following command executed from a root shell:
    /scripts/upcp

    Updates can be run through WHM as well. Login to WHM, then select cPanel -> Upgrade
    to Latest Version -> Click to Upgrade.

    References:
    http://lists.horde.org/archives/announce/2008/000382.html

    Credits:
    cPanel would also like to thank Jeff Petersen and Rob Brown for the additional
    security information provided with regards to this update.
    *************************
     

Share This Page