Serious RCE Vulnerability In Horde Webmail Threatens User Security

Researchers have found a serious code execution vulnerability in the web-based groupware Horde Webmail. Exploiting this RCE vulnerability threatens Horde Webmail users’ security, especially when the vendors have no plans for the bug fix.

Horde Webmail RCE Vulnerability

In a recent blog post, researchers from Sonar (formerly SonarSource) have shared details about a serious RCE vulnerability in the Horde Webmail client.

The bug allows an authenticated Horde instance user to execute arbitrary codes on the target server. Exploiting the bug merely requires an adversary to trigger CSRF via a maliciously crafted email with an external image. Then tricking the target victim into opening that email would trigger the exploit, allowing the attacker to execute the intended codes.

Moreover, besides gaining access to the victim server, exploiting this vulnerability also allows the attacker to see the victim’s login credentials. Thus, the adversary gains further power to abuse the credentials to access other services.

This vulnerability has received the identification ID CVE-2022-30287. Describing the flaw, the researchers stated in the post,

When a user interacts with an endpoint related to contacts, they are expected to send a string identifying the address book they want to use. Horde then fetches the corresponding configuration from the $cfgSources array and manages the connection to the address book backend…
However, there is no type checking in place which could stop an attacker from sending an array as a parameter and supplying an entirely controlled configuration.

The researchers have shared the technical details about the vulnerability in their post. Whereas they have demonstrated the exploit in the following video.

Patch Still Awaited

After discovering the vulnerability, the Sonar team contacted the vendors to report the matter. However, the vendors fixed a previously reported bug instead of addressing this vulnerability.

Eventually, the researchers stepped ahead to publicly disclose the vulnerability after the responsible disclosure period ended.

For now, no viable or official fix is available for the bug. And it isn’t strange for Horde Webmail. A similar event happened earlier this year when the researcher publicly disclosed an XSS bug in Horde Webmail sans an official patch.

Therefore, users need to stay careful when using this tool. They may also choose to stop using the program until an official fix arrives.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients