Pierluigi Paganini February 23, 2022

Experts found a nine-year-old unpatched flaw in the Horde Webmail software that could allow access to email accounts.

A feature in the Horde Webmail is affected by a nine-year-old unpatched security vulnerability that could be abused to gain complete access to email accounts simply by previewing an attachment.

Horde Webmail is a free, enterprise-ready, and browser-based communication suite developed by the Horde project. This webmail solution is widely adopted by universities and government agencies.

“We discovered a code vulnerability in Horde that allows an attacker to gain full access to the email account of a victim when it loads the preview of a harmless-looking email attachment.” reads a report published by Sonarsource. “This gives the attacker access to all sensitive and perhaps secret information a victim has stored in their email account and could allow them to gain further access to the internal services of an organization.”

The vulnerability discovered by Sonarsource is a stored XSS vulnerability that was introduced with the commit 325a7ae, 9 years ago. The bug affects all the versions since the commit that took place on 30 Nov 2012.

The issue can be triggered by previewing a specially crafted OpenOffice document to execute a malicious JavaScript payload. Upon exploiting the issue, the attacker can steal all emails the victim has sent and received.

“An attacker can craft an OpenOffice document that when transformed to XHTML by Horde for preview can execute a malicious JavaScript payload.” continues the report. “The vulnerability triggers when a targeted user views an attached OpenOffice document in the browser.”

In the worst case, the attacker can compromise an administrator account and take over the webmail server.

Sonarsource reported this flaw almost 6 months ago, there is currently no official patch available. 

The researchers recommend disabling the rendering of OpenOffice attachments. Administrators can edit the config/mime_drivers.php file in the content root of their Horde installation add the

'disable' => true 

configuration option to the OpenOffice mime handler:

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Horde Webmail)

[adrotate banner=”5″]

[adrotate banner=”13″]