Horde remote code execution
Description
Horde Groupware Webmail Edition is a browser-based enterprise communication suite. A critical remote code execution vulnerability (CVE-2014-1691) affects Horde versions 3.1.x through 5.1.1, allowing unauthenticated attackers to execute arbitrary PHP code on the server. This vulnerability was publicly disclosed by security researcher Pedro Ribeiro and poses a severe risk to all affected installations.
Remediation
Immediately upgrade Horde Groupware Webmail Edition to version 5.1.2 or later, which contains the security fix for CVE-2014-1691. Follow these steps:
1. Back up your current Horde installation and database before proceeding
2. Download the latest stable version from the official Horde website
3. Follow the upgrade instructions in the Horde documentation for your specific version
4. After upgrading, verify the installation is functioning correctly
5. Review server logs for any suspicious activity that may indicate prior exploitation
If immediate upgrading is not possible, consider temporarily restricting access to the Horde application to trusted IP addresses only until the patch can be applied. Monitor the references provided for additional technical details and the specific commit that addresses this vulnerability.