Horde Groupware Calendar Component Local File Include Vulnerability

Bugtraq ID:	22273
Class:	Input Validation Error
CVE:	CVE-2007-0579
Remote:	Yes
Local:	No
Published:	Jan 27 2007 12:00AM
Updated:	May 07 2015 06:03PM
Credit:	The vendor disclosed this issue.
Vulnerable:	Horde Project Groupware Webmail Edition 1.0-RC2 Horde Project Groupware 1.0-RC3
Not Vulnerable:	Horde Project Groupware Webmail Edition 1.0 Horde Project Groupware 1.0

Horde Groupware Calendar Component Local File Include Vulnerability

Horde Groupware is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow an unauthorized remote user to view arbitrary files and execute local scripts in the context of the webserver process.

Horde Groupware Calendar Component Local File Include Vulnerability

Attackers can exploit this issue via a web client.

Horde Groupware Calendar Component Local File Include Vulnerability

Solution:
The vendor has released updates to address this issue.


Horde Project Groupware 1.0-RC3

• Horde horde-groupware-1.0.tar.gz
  ftp://ftp.horde.org/pub/horde-groupware/horde-groupware-1.0.tar.gz

Horde Project Groupware Webmail Edition 1.0-RC2

• Horde horde-webmail-1.0.tar.gz
  ftp://ftp.horde.org/pub/horde-webmail/horde-webmail-1.0.tar.gz

Horde Groupware Calendar Component Local File Include Vulnerability

References:

• [announce] Horde Groupware 1.0 (final) (Horde)
  
• [announce] Horde Groupware Webmail Edition 1.0 (final) (Horde)
  
• Groupware Homepage (Horde)
  
• Horde Homepage (Horde Project)