9-Year-Old Unpatched Email Hacking Bug Uncovered in Horde Webmail Software

Cyber Security

Users of Horde Webmail are being urged to disable a feature to contain a nine-year-old unpatched security vulnerability in the software that could be abused to gain complete access to email accounts simply by previewing an attachment.

“This gives the attacker access to all sensitive and perhaps secret information a victim has stored in their email account and could allow them to gain further access to the internal services of an organization,” SonarSource vulnerability researcher, Simon Scannell, said in a report.

An “all volunteer project,” the Horde Project is a free, browser-based communication suite that allows users to read, send, and organize email messages as well as manage and share calendars, contacts, tasks, notes, files, and bookmarks.

The flaw, which was introduced as part of a code change pushed on November 30, 2012, relates to a case of an “unusual” stored cross-site scripting flaw (aka persistent XSS) that allows an adversary to craft an OpenOffice document in such a manner that when it’s previewed, it automatically executes arbitrary JavaScript payload.

Stored XSS attacks arise when a malicious script is injected directly into a vulnerable web application’s server, such as a comment field of a website, causing the untrusted code to be retrieved and transmitted to the victim’s browser every time the stored information is requested.

“The vulnerability triggers when a targeted user views an attached OpenOffice document in the browser,” Scannell said. “As a result, an attacker can steal all emails the victim has sent and received.”

Even worse, should an administrator account with a personalized, malicious email is successfully compromised, the attacker could abuse this privileged access to take over the entire webmail server.

The shortcoming was originally reported to the project maintainers on August 26, 2021, but to date no fixes have been shipped despite confirmation from the vendor acknowledging the flaw. We have reached out to Horde for further comment, and we will update if we hear back.

In the interim, Horde Webmail users are advised to disable the rendering of OpenOffice attachments by editing the config/mime_drivers.php file to add the ‘disable’ => true configuration option to OpenOffice mime handler.