Horde Webmail users are being asked to disable a feature in order to protect themselves from a nine-year-old unpatched security flaw in the program that may be used to acquire total access to email accounts merely by previewing an attachment.
“This gives the attacker access to all sensitive and perhaps secret information a victim has stored in their email account and could allow them to gain further access to the internal services of an organization,” as said by SonarSource vulnerability researcher Simon Scannell. The Horde Initiative is a free, browser-based communication suite that allows users to read, write, and organize email messages as well as manage and share calendars, files, tasks, notes, contacts, and bookmarks. It is an “all volunteer project.”
The issue, which was launched as part of a code patch on November 30, 2012, is related to an “unusual” stored cross-site scripting problem (aka persistent XSS). It allows an attacker to create an OpenOffice document so that it automatically runs any JavaScript payload when it is previewed. Stored XSS attacks occur when a harmful script is embedded directly into the server of a susceptible online application, such as a website’s comment box, the untrusted code is retrieved and communicated to the victim’s browser each time the stored information is requested.
According to Scannell, the vulnerability is triggered when a targeted person sees an attached OpenOffice document in the browser. This way, an attacker gets access to all of the victim’s emails, both sent and received. Worse, if an administrator account with a customized, malicious email is successfully hacked, the attacker might use this privileged access to take control of the complete webmail service.
The problem was first reported to the project maintainers on August 26, 2021, although despite the vendor’s acknowledgment of the flaw, no remedies have been released to date. Further comments from Horde are still awaited. In the meanwhile, Horde Webmail users should deactivate the rendering of OpenOffice attachments by adding the ‘disable’ => true configuration option to the OpenOffice mime handler in the config/mime_drivers.php file.
