Horde Gollem Reflected Cross-Site Scripting (XSS)

Summary

Horde Gollem 3.0.12, as used in Horde Groupware Webmail Edition 5.2.22, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality. An attacker can obtain access to a victim’s webmail account by making them visit a malicious URL.

Product Description (from vendor)

Gollem is a web-based file manager, providing the ability to fully manage a hierarchical file system stored in a variety of backends such as a SQL database, as part of a real filesystem, or on FTP, Samba or SSH servers. For more information on Gollem, visit http://www.horde.org/apps/gollem.

CVE(s)

CVE-2020-8034

Details

Root Cause Analysis

The dir parameter in page gollem/manager.php is used to define the folder Gollem should open in the page for the user. Such page uses Gollem::directoryNavLink to create a dynamic URL to the parent folder on line 285:

1
2
<?php
$template->navlink = Gollem::directoryNavLink(Gollem::$backend['dir'], $manager_url);

The parents’ names of the current folder are correctly encoded, but not the last one, as we can see in line 696:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
    <?php
    [...]

    $parts = explode('/', $currdir);
    $parts_count = count($parts);

    [...]

    for ($i = 1; $i <= $parts_count; ++$i) {
        $part = array_slice($parts, 0, $i);
        $dir = implode('/', $part);
        [...]
        if ($i == $parts_count) {
-->         $label[] = $parts[($i - 1)];
        } else {
            $label[] = Horde::link($url->add('dir', $dir), sprintf(_("Up to %s"), $dir)) . htmlspecialchars($parts[($i - 1)]) . '</a>';
        }

    [...]

By using a malicious current folder name it is possible to write arbitrary HTML code in the webpage.

Proof of Concept

Navigate to the following URL: [webmail hostname/IP]/gollem/manager.php?dir=%3Cimg%20src=1%20onerror=alert%28document.domain%29%3E
Notice the execution of the JavaScript code alert(document.domain)

Impact

An unauthenticated attacker might be able to gain access to the victim’s webmail by making them visit an URL which triggers the XSS vulnerability.

Remediation

The folder name is now correctly encoded regardless of its position in the path. Upgrade to Horde Gollem 3.0.13.

Disclosure Timeline

This report was subject to Shielder’s disclosure policy:

21/01/2020: Initial report sent to security@horde.org
23/01/2020: Vendor acknowledges issue and begins triage process
04/03/2020: Vendor releases the patch: https://github.com/horde/gollem/commit/a73bef1aef27d4cbfc7b939c2a81dea69aabb083
20/04/2020:
- Vendor publishes the advisory: https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html
- Shielder’s advisory is made public

Credits

`polict` of Shielder

This advisory was first published on https://www.shielder.com/advisories/horde-gollem-reflected-cross-site-scripting-xss/

Advisory

Date

20 April 2020