Businesses that use Horde to view emails in their browsers are advised to change a default setting in their webmail application to prevent email accounts from being hijacked using a dangerous vulnerability that has was revealed today and has yet to be fixed by the Horde team.
Discovered by SonarSource Vulnerability Researcher Simon Scannell, the vulnerability existed in the Horde webmail app since end of 2012 and resides in the functionality that takes OpenOffice documents and creates previews to display in the browser window.
This process involves taking the OpenOffice document XML and XSLT files and converting them to HTML and CSS which can be used to preview the document in the Horde preview pane.
The vulnerability, classified as a Cross-Site Stored Scripting (XSS) issue, could allow attackers to retrieve a user’s inbox or modify account settings.
“If an attacker manages to target an administrator with a personalized and malicious email, they could abuse this privileged access to support the entire webmail server“, also added Scannell.
The vulnerability is considered a critical issue not only because of its possible consequences, but also because of Horde’s large user base.
The webmail application is one of three webmail clients that ship by default with cPanelan advanced control panel used by the vast majority of web hosting companies today, which means that the webmail application is installed on tens of millions or even more websites, all of which are now exposed to attack.
No patch available, but there is a way to block attacks
Scannell said that despite their efforts to contact Project Horde last August, officials failed to stay in contact with researchers and did not respond to any follow-up emails regarding a possible patch, with the vulnerability remaining. uncorrected at time of writing. .
An email to the Horde team requesting information on the SonarSource report and a possible upcoming fix for this issue was not returned prior to publication.
Scannell said that despite the seriousness of the problem they discovered, there is at least one way to mitigate and prevent attacks, and that is by disabling the rendering of OpenOffice attachments in the Horde webmail application.
“To do this, administrators can modify the config/mime_drivers.php file in the content root of their Horde installation,” Scannell said, recommending Horde server owners change this option to ‘disable’ => true.