VIR Vulnerability Intelligence Relay

CVE-2017-15235

high
Published 2017-10-11 · Modified 2026-05-13
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v4 NEW
not yet in upstream
VIR risk
8.5

Description

The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponds to the exact filename.

Predictions

Exploit likelihood
83%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-44059 webapps php text · 2 KB
SecuriTeam · 2017-08-03

Horde Groupware 5.2.21 - Unauthorized File Download

text exploit Source: Exploit-DB 
## Vulnerability Summary
The following advisory describes an unauthorized file download vulnerability found in Horde Groupware version 5.2.21.

Horde Groupware Webmail Edition is “a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project. Horde Groupware Webmail Edition bundles the separately available applications IMP, Ingo, Kronolith, Turba, Nag, Mnemo, Gollem, and Trean.”

## Credit
An independent security researcher, Juan Pablo Lopez Yacubian, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

## Vendor response
Horde Groupware was informed of the vulnerability, to which they response with:
“this has already been reported earlier by someone else, and is already fixed in the latest Gollem and Horde Groupware releases.

Besides that, it’s not sufficient to have a list of the server’s users, you also need to exactly know the file name and path that you want to download. Finally, this only works on certain backends, where Horde alone is responsible for authentication, i.e. it won’t work with backends that require explicit authentication.”

CVE: CVE-2017-15235

## Vulnerability details
User controlled input is not sufficiently sanitized when passed to File Manager (gollem) module (version 3.0.11).

The “fn” parameter does not validate certain met characters by causing the requested file or filesystem to be downloaded without credentials.

It is only necessary to know the username and the file name.

## Proof of Concept


```
User = this is the username in horde
/ = the Meta character /
/services/download/?app=gollem&dir=%2Fhome%2Fuser&backend=sqlhome&fn=/test.php
```

OS impact
debian Debian Fixed 3 releases
VersionStatusFixed in
sid Fixed 3.0.12-1
bullseye Fixed 3.0.12-1
bookworm Fixed 3.0.12-1

Application impact
VendorProductVersionsFixed
hordegroupware5.2.21

References

CWEs

CWE-425

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.