Unfixed bug allows takeover of Horde webmail accounts and servers

Businesses that use Horde to view emails in their browsers are advised to change a default setting in their webmail application to prevent email accounts from being hijacked using a dangerous vulnerability that has was revealed today and has yet to be fixed by the Horde team.

Discovered by SonarSource Vulnerability Researcher Simon Scannell, the vulnerability existed in the Horde webmail app since end of 2012 and resides in the functionality that takes OpenOffice documents and creates previews to display in the browser window.

This process involves taking the OpenOffice document XML and XSLT files and converting them to HTML and CSS which can be used to preview the document in the Horde preview pane.

In one report published today, Scannell said a malicious actor could add malicious XML to an OpenOffice document that exploits the way this conversion takes place to generate malicious JavaScript code that, when run in the inbox Horde of a user, would execute malicious commands on behalf of the attacker.

The vulnerability, classified as a Cross-Site Stored Scripting (XSS) issue, could allow attackers to retrieve a user’s inbox or modify account settings.

“If an attacker manages to target an administrator with a personalized and malicious email, they could abuse this privileged access to support the entire webmail server“, also added Scannell.

The vulnerability is considered a critical issue not only because of its possible consequences, but also because of Horde’s large user base.

The webmail application is one of three webmail clients that ship by default with cPanelan advanced control panel used by the vast majority of web hosting companies today, which means that the webmail application is installed on tens of millions or even more websites, all of which are now exposed to attack.

No patch available, but there is a way to block attacks

Scannell said that despite their efforts to contact Project Horde last August, officials failed to stay in contact with researchers and did not respond to any follow-up emails regarding a possible patch, with the vulnerability remaining. uncorrected at time of writing. .

An email to the Horde team requesting information on the SonarSource report and a possible upcoming fix for this issue was not returned prior to publication.

Scannell said that despite the seriousness of the problem they discovered, there is at least one way to mitigate and prevent attacks, and that is by disabling the rendering of OpenOffice attachments in the Horde webmail application.

“To do this, administrators can modify the config/mime_drivers.php file in the content root of their Horde installation,” Scannell said, recommending Horde server owners change this option to ‘disable’ => true.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant inside scoop on new vulnerabilities, cyberattacks and law enforcement actions against hackers.