Horde Webmail users are being asked to deactivate a feature that contains a 9-year-old security flaw in the software. This vulnerability could allow someone to access all of their email accounts by simply previewing attachments.
“This gives the attacker access to all sensitive and perhaps secret information a victim has stored in their email account and could allow them to gain further access to the internal services of an organization,” SonarSource vulnerability researcher, Simon Scannell, said in a report.
An “all volunteer project,” the Horde Project is a free, browser-based communication suite that allows users to read, send, and organize email messages as well as manage and share calendars, contacts, tasks, notes, files, and bookmarks.
The flaw, which was introduced as part of a code change pushed on November 30, 2012, relates to a case of an “unusual” stored cross-site scripting flaw (aka persistent XSS) that allows an adversary to craft an OpenOffice document in such a manner that when it’s previewed, it automatically executes arbitrary JavaScript payload.
Stored XSS attacks arise when a malicious script is injected directly into a vulnerable web application’s server, such as a comment field of a website, causing the untrusted code to be retrieved and transmitted to the victim’s browser every time the stored information is requested.
” The vulnerability is activated when the targeted user opens an OpenOffice file in their browser,” Scannell stated. An attacker could steal any emails that the victim sent or received. “
Even worse, should an administrator account with a personalized, malicious email is successfully compromised, the attacker could abuse this privileged access to take over the entire webmail server.
The shortcoming was originally reported to the project maintainers on August 26, 2021, but to date no fixes have been shipped despite confirmation from the vendor acknowledging the flaw. We have reached out to Horde for further comment, and we will update if we hear back.
In the interim, Horde Webmail users are advised to disable the rendering of OpenOffice attachments by editing the config/mime_drivers.php file to add the ‘disable’ => true configuration option to OpenOffice mime handler.
