GHSA-c8m7-r2jv-rw63: EGroupware Vulnerable to Local File Inclusion via file:// URI in Mail Compose
Summary
The function processes image URLs embedded in an HTML email body without validating or restricting URI schemes. The check !str_starts_with($myUrl, 'http') evaluates to true for file:// URIs, causing file_get_contents($basedir . urldecode($myUrl)) to read arbitrary files from the server filesystem and embed them as inline MIME attachments in outgoing email.
str_starts_with('file:///etc/passwd', 'http') → false
!false → true
// api/src/Mail.php
foreach($images[2] as $i => $url)
{
//$isData = false;
$basedir = $data = '';
$needTempFile = true;
$attachmentData = ['name' => '', 'type' => '', 'file' => '', 'tmp_name' => ''];
try
{
// do not change urls for absolute images (thanks to corvuscorax)
if (!str_starts_with($url, 'data:'))
{
$attachmentData['name'] = basename($url); // need to resolve all sort of url
if (($directory = dirname($url)) == '.') $directory = '';
$ext = pathinfo($attachmentData['name'], PATHINFO_EXTENSION);
$attachmentData['type'] = MimeMagic::ext2mime($ext);
if ( strlen($directory) > 1 && !str_ends_with($directory, '/')) { $directory .= '/'; }
..
...
....
// processURL2InlineImages function
if ( $myUrl[0]!='/' && strlen($basedir) > 1 && !str_ends_with($basedir, '/')) { $basedir .= '/'; }
if ($needTempFile && empty($attachment) && !str_starts_with($myUrl, "http"))
{
try {
$data = file_get_contents($basedir.urldecode($myUrl));
}
catch (\Throwable $e) {
_egw_log_exception($e);
}
}
}
if (str_starts_with($url, 'data:'))
PoC
1. Log in as any authenticated EGroupware user with mail access and open the mail compose window.
2. Switch to HTML body mode and insert: <img src="file:///etc/passwd">.
3. The server executes file_get_contents('file:///etc/passwd'), writes the content to a temp file, and attaches it as an inline MIME part.
Impact
An authenticated attacker can read arbitrary files accessible by the web server process, including /etc/passwd, application configuration files containing database credentials, private TLS keys, and environment fil
Details
Original advisory: https://github.com/advisories/GHSA-c8m7-r2jv-rw63
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-45016 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10