Horde Webmail users are being asked to disable a feature in order to protect themselves from a nine-year-old unpatched security flaw in the program that may be used to acquire total access to email accounts merely by previewing an attachment.
“This gives the attacker access to all sensitive and perhaps secret information a victim has stored in their email account and could allow them to gain further access to the internal services of an organization,” as said by SonarSource vulnerability researcher Simon Scannell. The Horde Initiative is a free, browser-based communication suite that allows users to read, write, and organize email messages as well as manage and share calendars, files, tasks, notes, contacts, and bookmarks. It is an “all volunteer project.”
According to Scannell, the vulnerability is triggered when a targeted person sees an attached OpenOffice document in the browser. This way, an attacker gets access to all of the victim’s emails, both sent and received. Worse, if an administrator account with a customized, malicious email is successfully hacked, the attacker might use this privileged access to take control of the complete webmail service.
The problem was first reported to the project maintainers on August 26, 2021, although despite the vendor’s acknowledgment of the flaw, no remedies have been released to date. Further comments from Horde are still awaited. In the meanwhile, Horde Webmail users should deactivate the rendering of OpenOffice attachments by adding the ‘disable’ => true configuration option to the OpenOffice mime handler in the config/mime_drivers.php file.