CVE CyberSecurity Database News

CVE-2022-30287 - Exploiting Arbitrary PHP Object Deserialization in Horde Groupware Webmail Edition

Poster -

CVE-2022-30287 affects Horde Groupware Webmail Edition up to version 5.2.22. This vulnerability is pretty scary: it allows an attacker to inject reflected data that gets unserialized by PHP, which commonly leads to remote code execution. Let's break down how this works, why it's dangerous, and how attackers can exploit it. We'll also look at the original references and a sample proof-of-concept.

What is Horde Groupware Webmail Edition?

For context, Horde Groupware Webmail is a full email suite written in PHP, widely used by organizations around the world. Like many PHP apps, it handles tons of user input and relies heavily on object-oriented data structures.

What is CVE-2022-30287?

This vulnerability is all about unsafe deserialization—when user-supplied data is turned back into a PHP object, without enough checks. If attackers can control the type or content of the object, they can often make PHP run arbitrary code, delete data, or do other damaging operations.

Specifically, in Horde Webmail (<= 5.2.22), an attacker can inject a specially crafted string that creates an instance of any driver class (a design pattern used frequently in Horde), leading to a situation where arbitrary PHP objects get unserialized.

From the CVE report

> "Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects."  
> — CVE-2022-30287 page

Let’s look at this step by step

1. User Input: Horde Webmail exposes several endpoints that let users specify driver types or settings (e.g., through POST, GET, or cookies).
2. Driver Instantiation: Horde code uses user-supplied values in a call to something like new $driverType(), which is a form of reflection.
3. Deserialization: At some point, this user-controlled driver name is passed into PHP’s unserialize() or a similar function, directly or indirectly.
4. Attack Payload: Attackers create serialized PHP objects that, when unserialized, trigger a “magic method” like __wakeup() or __destruct() and execute arbitrary code.

The key weakness is that attackers control what class is created, and what data is fed into it, *and* this is passed through unserialize(), which is famous for being dangerous with untrusted data.

The vulnerable code may look like this inside the Horde libraries

// Example of unsafe driver loading with user input
$driver = $_GET['driver']; // attacker controls this
$object = new $driver();
$data = $_GET['data']; // attacker controls this too!
$object->load(unserialize($data)); // unsafe deserialization!

If the attacker can choose the $driver (class name) and $data (serialized object), this is game over.

Proof of Concept Exploit

Let’s see a simple proof-of-concept (PoC) for this bug. Assume there is a vulnerable endpoint at /horde/vulnerable.php:

/vulnerable.php?driver=EvilClass&data=O:8:"EvilClass"::{}

An attacker might supply their own malicious EvilClass definition. But often, attackers will scan the code for a class already present with magic methods (__destruct, __wakeup, __toString, etc.) that perform file operations or call other functions.

A classic PHP deserialization attack uses the built-in classes in the application that abuse file operations, for example:

O:23:"SomePathTraversalClass":1:{s:4:"file";s:18:"/var/www/shell.php";}

After deserialization, if the class’s magic method writes something to file, you can end up with remote code execution.

How Attackers Exploit This

Step 1: Find out which driver classes are present and which ones have dangerous magic methods.

Step 2: Craft a PHP serialized payload that, on deserialization, will execute code (read a file, write to disk, etc.).

Step 3: Call the vulnerable Horde endpoint with the custom driver parameter and a crafted data payload.

Step 4: Get shell access or leak sensitive data.

- Official CVE Entry (NVD)
- Original Horde Security Advisory
- HackerOne report (sometimes blocked)
- ZDI Advisory (Trend Micro)

Some more technical blogs

- Ambionics Security Research on PHP Unserialization
- PHP Deserialization Vulnerabilities

How to Protect Yourself

- Update Now! The Horde team has patched this in later releases. Make sure you’re running a version above 5.2.22.
- Never Unserialize Untrusted Data! This is the golden rule in PHP security. If you must, always validate and sanitize inputs, or switch to safer formats like JSON.
- Audit Classes for Magic Methods. Many deserialization exploits use __wakeup, __destruct, and similar. Restrict these as much as possible.

Conclusion

CVE-2022-30287 is a powerful arbitrary object deserialization hole in Horde Groupware Webmail Edition, and it's a stark reminder of how dangerous PHP unserialization can be. If you’re using Horde, don’t wait—update right away.  

If you’re a developer: make sure user input is never used to instantiate classes or deserialize data. And if you’re a pentester or bug hunter, always look for these patterns in PHP apps: user-controlled class names, unserialize() calls, and magic methods that do file or command operations.


Stay safe! If you want more technical detail or help fixing legacy PHP apps, check out the linked resources, or ask your security team to run an audit.


*This post was written exclusively for this request and includes original analysis and carefully curated references for further reading.*

Timeline

Published on: 07/28/2022 22:15:00 UTC
Last modified on: 08/05/2022 16:16:00 UTC