SonarSource vulnerability researcher Simon Scannell recently discovered an unpatched flaw in the Horde webmail app that lets threat actors hijack webmail accounts and even servers.
The vulnerability, which has reportedly existed in the webmail app since late 2012, affects the feature that creates previews from OpenOffice documents and displays them within the browser’s window.
The mechanism affected by the flaw converts the XML and XSLT files of OpenOffice documents into HTML and CSS to display the document inside the browser as a preview.
Attackers could leverage this flaw by injecting custom XML code to exploit the conversion above and generate malicious JavaScript code that would allow remote arbitrary code execution from within a user’s Horde inbox, Scannell said in a report.
“If an attacker succeeds in targeting an administrator with a personalized, malicious email, they could abuse this privileged access to take over the entire webmail server,” Scannell said.
The vulnerability, tagged as a stored cross-site scripting (XSS) flaw, allows perpetrators to retrieve user inboxes and even alter account settings.
Horde is one of the default webmail clients shipped with cPanel, an advanced control panel used by most web hosting companies. The flaw’s severity is determined not only by the risks it entails but also because of Horde’s massive userbase.
At the time of writing, the vulnerability is still unpatched, and there’s no patch in sight just yet. However, according to Scannell, there’s at least one way to mitigate and prevent attackers from exploiting this flaw – disable OpenOffice document previews within the Horde webmail app.
You can do so by editing the config/mime_drivers.php file in the root of your Horde installation and changing the option to 'disable' => true.