horde vulnerability

**jwiens** · 04-25-2006 09:36 AM

There's a vulnerability in Horde that appears to allow remote code-execution. I haven't looked closely enough at it yet to determine whether it requires a user be logged in and is thus less of a threat (I think that's the case due to the way cpanel wraps horde and requires a login first, but I'm not positive), but either way wanted to post it here first.

It's been given CVE number 2006-1491, and the appropriate diff is available on the horde cvs page. FYI, it's not actually line 54 in the version of horde running on the latest stable of cpanel (assuming I'm running what I think I'm running), but rather, was in line 56.

**nickn** · 04-25-2006 10:23 AM

Horde has been updated in both CURRENT and EDGE. The updates should make it down to the STABLE tree within the week.

**jwiens** · 04-25-2006 12:02 PM

Thanks! Quick turn around. Kudos to the cpanel team.

LinkBack

Thread Tools

horde vulnerability

Horde Vulnerability

New IE Vulnerability

Possible Horde Vulnerability

SECURITY ALERT: Horde arbitrary file inclusion vulnerability

SECURITY ALERT: Horde arbitrary file inclusion vulnerability