'modus operandi' - Horde 5.2.x

Last time we saw few 'moments' when modus.py was started against GeniXCMS. Today we will do the same with Horde (partially described here as well as [1],[2],[3]). So...

Let's start here: starting modus.py against Horde 5.2.22 (from Bitnami - thanks again. I also verified results with Horde 5.2.21):

TL;DR - details:

1) CVE-2017-16908

I think you're already familiar with this one...

Ok, "we got it". Next.

(...) and break. ;] After few days, I decided to rewrite modus again, this time to prepare more detailed 'checks' for all different webapps I had a pleasure to read so far (during createing the whole 'simple code'). Below we will start from results found by version v0.3. As an 'input case' here, I'll use Horde 5.2.22 mentioned before.

Here we go...

2) CVE-2017-16907 

This one was also mentioned during last Horde "review". I believe that this is our guy:

Next.

3) CVE-2017-16906 - yep, you know it:

Next.

4) 'name', 'response_type', 'description':

5) 'email' parameter (below) - but I wasn't able to access this part of webapp (probably because of my poor configuration, anyhow):

Below you will find 'all 4' parameters (described by modus as 'possibly vulnerable'):

As you can see "if" during 'echo ... renderActive()' we will not get any sanitization, it will results in XSS. Checking deeper:

Looks like this:

So now:

But from the DB perspective it still looks like (not filtered) this:

So I don't know (and I'll leave it for you as an exercise ;])

6) 'name', 'description', 'members[]' - see below:

From modus example-test-log:

7) error-message not stripped properly - 'date' example case:

Next:

8) 'targetcalendar':

From the code (and Burp) perspective, it looks like this:

More:

and our toJson():

Ok, next one  (but I believe that this is still not the last one bonus from modus.py ... ;])

9) SQL injection - 'group' parameter (but you need to log in first)

Request:

and response verified by sqlmap again:

I'm still working on modus.py so maybe later I will post some more results.

Cheers

P.S. another SQL injection bug you will find here:

10) SQL injection - 'homePostalCode':

Request poc:

"Response":

Cheers :]


* Updated 30.09.2018 @ 23:28 *

(Now also described as CVE-2017-17781 - thank you CVE Team) 

After the small chat I had a pleasure to be part of, we can now consider those 2 mentioned "SQL injection" bugs as false positives. 

Steps to reproduce was verified for 3 versions:
- 5.2.19
- 5.2.21
- 5.2.22

and none of them was vulnerable to requests from described 'case 9' and 'case 10'.

Once again big thanks goes to Debian Team and Horde Project for their cooperation.