A feature in the Horde Webmail is affected by a nine-year-old unpatched security vulnerability that could be abused to gain complete access to email accounts simply by previewing an attachment.
Horde Webmail is a free, enterprise-ready, and browser-based communication suite developed by the Horde project. This webmail solution is widely adopted by universities and government agencies.
“We discovered a code vulnerability in Horde that allows an attacker to gain full access to the email account of a victim when it loads the preview of a harmless-looking email attachment.” reads a report published by Sonarsource. “This gives the attacker access to all sensitive and perhaps secret information a victim has stored in their email account and could allow them to gain further access to the internal services of an organization.”
The vulnerability discovered by Sonarsource is a stored XSS vulnerability that was introduced with the commit 325a7ae, 9 years ago. The bug affects all the versions since the commit that took place on 30 Nov 2012.
In the worst case, the attacker can compromise an administrator account and take over the webmail server.
Sonarsource reported this flaw almost 6 months ago, there is currently no official patch available.
The researchers recommend disabling the rendering of OpenOffice attachments. Administrators can edit the config/mime_drivers.php file in the content root of their Horde installation add the
'disable' => true
configuration option to the OpenOffice mime handler:
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Horde Webmail)