Horde/IMP Plesk webmail exploit

Description

The Horde/IMP webmail package (versions 3.1.7-3.3.2) shipped with Plesk 8.x and 9.x (prior to 9.5.4) contains a critical remote code execution vulnerability. This vulnerability exploits two weaknesses: first, user-supplied input (such as login usernames) is logged without proper sanitization to /var/log/psa-horde/psa-horde.log; second, the barcode.php file contains a path traversal vulnerability that allows attackers to include and execute arbitrary log files. By submitting PHP code as a username in a POST request to /horde/imp/redirect.php, an attacker can inject malicious code into the log file. Subsequently, by accessing /horde/util/barcode.php with a crafted path traversal parameter pointing to the log file, the attacker can execute the injected PHP code on the server. This attack chain requires no authentication and can lead to complete server compromise.

Remediation

Take the following immediate actions to remediate this vulnerability:

1. Apply Security Patches: Download and install the official Horde security patch for versions 3.1.7-3.3.2 from Parallels. Refer to Parallels KB article 113374 for platform-specific patch instructions.

2. Upgrade Plesk: If possible, upgrade to Plesk 9.5.4 or later, which includes the patched Horde/IMP package.

3. Immediate Mitigation (if patching is delayed):

• Restrict access to /horde/util/barcode.php by adding access controls in your web server configuration
• Review /var/log/psa-horde/psa-horde.log for suspicious entries containing PHP code or shell commands
• Monitor web server access logs for requests to barcode.php with traversal sequences (e.g., ../)

References

Related Vulnerabilities