Horde Gollem Reflected Cross-Site Scripting (XSS)

Summary

Horde Gollem 3.0.12, as used in Horde Groupware Webmail Edition 5.2.22, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality. An attacker can obtain access to a victim’s webmail account by making them visit a malicious URL.

Product description (from vendor)

Gollem is a web-based file manager, providing the ability to fully manage a hierarchical file system stored in a variety of backends such as a SQL database, as part of a real filesystem, or on FTP, Samba or SSH servers. For more information on Gollem, visit http://www.horde.org/apps/gollem.

CVE(s)

Details

Root cause analysis

The dir parameter in page gollem/manager.php is used to define the folder Gollem should open in the page for the user. Such page uses Gollem::directoryNavLink to create a dynamic URL to the parent folder on line 285:

1
2
<?php
$template->navlink = Gollem::directoryNavLink(Gollem::$backend['dir'], $manager_url);

The parents' names of the current folder are correctly encoded, but not the last one, as we can see in line 696:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
    <?php
    [...]

    $parts = explode('/', $currdir);
    $parts_count = count($parts);

    [...]

    for ($i = 1; $i <= $parts_count; ++$i) {
        $part = array_slice($parts, 0, $i);
        $dir = implode('/', $part);
        [...]
        if ($i == $parts_count) {
-->         $label[] = $parts[($i - 1)];
        } else {
            $label[] = Horde::link($url->add('dir', $dir), sprintf(_("Up to %s"), $dir)) . htmlspecialchars($parts[($i - 1)]) . '</a>';
        }

    [...]

By using a malicious current folder name it is possible to write arbitrary HTML code in the webpage.

Proof of concept

  1. Navigate to the following URL: [webmail hostname/IP]/gollem/manager.php?dir=%3Cimg%20src=1%20onerror=alert%28document.domain%29%3E
  2. Notice the execution of the JavaScript code alert(document.domain)

Impact

An unauthenticated attacker might be able to gain access to the victim’s webmail by making them visit an URL which triggers the XSS vulnerability.

Remediation

The folder name is now correctly encoded regardless of its position in the path. Upgrade to Horde Gollem 3.0.13.

Disclosure timeline

This report was subject to Shielder’s disclosure policy:

Credits

`polict` of Shielder

Data

20 April 2020