9-year-old unfixed email hacking bug discovered in Horde webmail software

Horde Webmail users are urged to disable a feature to contain a nine-year-old unpatched security vulnerability in the software that could be exploited to gain full access to email accounts simply by previewing an attachment.

“This gives the attacker access to any sensitive and possibly secret information a victim has stored in their email account and could allow them further access to an organization’s internal services,” Simon said. Scannell, SonarSource Vulnerability Researcher, in a report.

An “all-volunteer project”, Project Horde is a free browser-based communication suite that allows users to read, send and organize email as well as manage and share calendars, contacts , tasks, notes, files and bookmarks.

Automatic GitHub backups

The flaw, which was introduced as part of a push code change on November 30, 2012, addresses a case of an “unusual” Stored Cross-Site Scripting (aka Persistent XSS) flaw that allows an adversary to create an OpenOffice document in such a way that when previewed, it automatically executes an arbitrary JavaScript payload.

Stored XSS attacks occur when a malicious script is injected directly into the server of a vulnerable web application, such as a website’s comment field, causing the untrusted code to be retrieved and transmitted to the web browser. victim whenever the stored information is requested.

“The vulnerability is triggered when a targeted user views an attached OpenOffice document in the browser,” Scannell said. “As a result, an attacker can steal all emails the victim has sent and received.”

Worse still, if an administrator account with a personalized, malicious email is successfully compromised, the attacker could abuse this privileged access to take control of the entire webmail server.

Prevent data breaches

The flaw was initially reported to project officials on August 26, 2021, but to date no fix has been sent despite confirmation from the vendor acknowledging the flaw. We’ve reached out to Horde for further comment, and will update if we receive a response.

In the meantime, Horde Webmail users are advised to disable OpenOffice attachment rendering by editing the config/mime_drivers.php file to add the config option ‘disable’ => true to the OpenOffice mime driver.

Source link

June J. Lopez