Horde Webmail users are urged to disable a feature to contain a nine-year-old unpatched security vulnerability in the software that could be exploited to gain full access to email accounts simply by previewing an attachment.
“This gives the attacker access to any sensitive and possibly secret information a victim has stored in their email account and could allow them further access to an organization’s internal services,” Simon said. Scannell, vulnerability researcher at SonarSource. noted in a report.
A “any volunteer project“, the Horde Project is a free browser-based communication suite that allows users to read, send, and organize email, as well as manage and share calendars, contacts, tasks, notes, files and bookmarks.
Stored XSS attacks occur when a malicious script is injected directly into the server of a vulnerable web application, such as a website’s comment field, causing the untrusted code to be retrieved and transmitted to the web browser. victim whenever the stored information is requested.
“The vulnerability is triggered when a targeted user views an attached OpenOffice document in the browser,” Scannell said. “As a result, an attacker can steal all emails the victim has sent and received.”
Worse still, if an administrator account with a personalized, malicious email is successfully compromised, the attacker could abuse this privileged access to take control of the entire webmail server.
The flaw was initially reported to project officials on August 26, 2021, but to date no fix has been sent despite confirmation from the vendor acknowledging the flaw. We’ve reached out to Horde for further comment, and will update if we receive a response.
In the meantime, Horde Webmail users are advised to disable rendering of OpenOffice attachments by changing the config/mime_drivers.php file to add config option ‘disable’ => true to OpenOffice mime handler.