Family: Gentoo Local Security Checks --> Category: infos
[GLSA-200406-09] Horde-Chora: Remote code execution Vulnerability Scan
Vulnerability Scan Summary
Horde-Chora: Remote code execution
Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200406-09
(Horde-Chora: Remote code execution)
A vulnerability in the diff viewer of Chora allows a possible hacker to inject
shellcode. A possible hacker can exploit PHP's file upload functionality to
upload a malicious binary to a vulnerable server, chmod it as executable,
and run the file.
A possible hacker could remotely execute arbitrary binaries with the permissions
of the PHP script, conceivably allowing further exploitation of local
vulnerabilities and remote root access.
There is no known workaround at this time.
All users are advised to upgrade to the latest version of Chora:
# emerge sync
# emerge -pv ">=net-www/horde-chora-1.2.2"
# emerge ">=net-www/horde-chora-1.2.2"
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.