A severe vulnerability riddled the free browser-based groupware Horde Webmail allowing account takeovers. Despite the bug’s severity and prior bug report, the vendors haven’t patched the flaw yet.
Horde Webmail Vulnerability
According to a recent post from SonarSource, their researchers found a cross-site scripting (XSS) vulnerability in the Horde Webmail client.
Horde Webmail is an open-source, free, web-based email client facilitating enterprises. The platform allows
As elaborated, they observed a Stored XSS vulnerability in the software code that appeared nine years ago in commit 325a7ae. Since then, it stayed under the radar, remaining unpatched in all Horde instances.
Briefly, the vulnerability existed in how the platform renders an OpenOffice document into XHTML for preview. The platform uses XSLT (eXtensible Stylesheet Language Transformations) to convert the XML files. As described,
When Horde is asked to render an OpenOffice document for a user, it utilizes the
opendoc2xhtml.xslstylesheet file developed by the OpenOffice project.
However, it returns the file to the user without sanitization. Hence, a maliciously crafted OpenOffice file can trigger this XSS vulnerability.
Exploiting this flaw allows the adversary to view and steal the victim’s emails and other information stored within the client. Whereas gaining admin privileges also allows the adversary to execute arbitrary codes on Horde instances.
No Patch Available Yet
Despite existing for years, no patch currently exists for this flaw. What’s worst is that the vendors didn’t address the problem even after receiving the bug report in 2021.
It means all users of Horde Webmail client are vulnerable to exploits.
Nonetheless, the researchers have shared a temporary mitigation strategy to prevent such risks.
Briefly, they ask users to disable rendering OpenOffice documents in the platform.
Administrators can edit the
config/mime_drivers.phpfile in the content root of their Horde installation.
After this setting change, users can still view the OpenOffice documents locally. However, since it prevents the Horde Webmail client from rendering the preview in the browser, the bug won’t trigger.