Horde-enabled companies that view Horde emails from their browsers are advised not to set a default setting for their webmail application. This will prevent email accounts being hijacked via a dangerous vulnerability.
Simon Scannell from SonarSource discovered the vulnerability. The vulnerability is in the Horde email app . It has been there since late 2012 .
This involves taking OpenOffice document’s XML, XSLT files and converting these into HTML and CSS. You can use Horde’s preview to see a preview.
This vulnerability, known as a stored cross site scripting (XSS), issue, allows attackers to access a user’s inbox and modify account settings.
Scannell further stated that an attacker could target an administrator by sending a malicious, personalized email. They could also abuse this privilege to and take control of the entire webmail service.
Horde’s large userbase is making it difficult to overlook the vulnerability.
The webmail program is one the three webmail programs that ships with or cPanel by default. This advanced control panel is used today by the vast majority web hosting companies. Webmail apps are installed on thousands of websites and all of them are vulnerable to attack.
While there’s no known patch for this issue, there are some ways to stop attacks.
Scannell stated that the Horde project maintainers had failed to get in touch with them last August. The researchers have not received any follow-up email about a patch and the vulnerability remains unpatched at time of writing.
The Horde team did not respond to an email requesting information on the SonarSource report or a possible patch.
Scannell stated, “Despite the severity of this issue, there’s at least one way of mitigating and preventing attacks. That is, disabling OpenOffice attachments within the Horde email app.”
“To do so, administrators can edit the config/mime_drivers.php file in the content root of their Horde installation,” Scannell said, recommending that Horde server owners change this option to ‘disable’ => true.