Select Page

Users of Horde Webmail are being urged to disable a feature to contain a nine-year-old unpatched security vulnerability in the software that could be abused to gain complete access to email accounts simply by previewing an attachment.

“This gives the attacker access to all sensitive and perhaps secret information a victim has stored in their email account and could allow them to gain further access to the internal services of an organization,” SonarSource vulnerability researcher, Simon Scannell, said in a report.

An “all volunteer project,” the Horde Project is a free, browser-based communication suite that allows users to read, send, and organize email messages as well as manage and share calendars, contacts, tasks, notes, files, and bookmarks.

The flaw, which was introduced as part of a code change pushed on November 30, 2012, relates to a case of an “unusual” stored cross-site scripting flaw (aka persistent XSS) that allows an adversary to craft an OpenOffice document in such a manner that when it’s previewed, it automatically executes arbitrary JavaScript payload.

Stored XSS attacks arise when a malicious script is injected directly into a vulnerable web application’s server, such as a comment field of a website, causing the untrusted code to be retrieved and transmitted to the victim’s browser every time the stored information is requested.

“The vulnerability triggers when a targeted user views an attached OpenOffice document in the browser,” Scannell said. “As a result, an attacker can steal all emails the victim has sent and received.”

Even worse, should an administrator account with a personalized, malicious email is successfully compromised, the attacker could abuse this privileged access to take over the entire webmail server.

images from Hacker News