A nine-year-old unsecure security flaw in the Horde Webmail functionality might be exploited to acquire total access to the email accounts merely by viewing an attachment.
Horde Webmail is a Horde project-developed free, enterprise-ready, browser-based communication package. Universities and government institutions use this webmail option extensively.
According to Simon Scannell, a vulnerability researcher at SonarSource, "it provides the hackers to gain access to all confidential and possibly classified documents a user has recorded in an email address and might allow them to obtain further access to an organization's internal services."
SonarSource detected a stored Xss attack which was implemented with commit 325a7ae, which was 9 years ago. Since the commit on November 30, 2012, the bug has affected all versions. The vulnerability can be exploited by previewing a specially designed OpenOffice document and allowing a malicious JavaScript payload to be executed. The attacker can take all emails sent and received by the victim by exploiting the flaw.
"An attacker can create an OpenOffice document which will launch a malicious JavaScript payload when converted to XHTML by Horde for preview." the report continues "When a targeted person sees an attached OpenOffice document in the browser, the vulnerability is activated." according to SonarSource experts.
Worse, if an executive account with a personalized, phishing email is successfully hacked, the attacker might use this unprecedented access to take control of the entire webmail service. Despite the vendor's confirmation of the problem, no fixes have been given to the project managers as of August 26, 2021. Horde was contacted for more comments, but none were made to address the situation.
Meanwhile, Horde Webmail users should deactivate the rendering of OpenOffice attachments by adding the 'disable' => true configuration option to the OpenOffice mime handler in the config/mime drivers.php file.
