A new unpatched security vulnerability has been disclosed in the
open-source Horde Webmail client that could be exploited to achieve
remote code execution on the email server simply by sending a
specially crafted email to a victim.
“Once the email is viewed, the attacker can silently take over
the complete mail server without any further user interaction,”
SonarSource said in a report[1]
shared with The Hacker News. “The vulnerability exists in the
default configuration and can be exploited with no knowledge of a
targeted Horde instance.”
The issue, which has been assigned the CVE identifier
CVE-2022-30287, was reported to the vendor on
February 2, 2022. The maintainers of the Horde Project did not
immediately respond to a request for comment regarding the
unresolved vulnerability.
At its core, the issue makes it possible for an authenticated
user of a Horde instance to run malicious code on the underlying
server by taking advantage of a quirk in how the client handles
contact lists.
This can then be weaponized in connection with a cross-site
request forgery (CSRF[2]) attack to trigger the
code execution remotely.
CSRF, also called session riding, happens when a web browser is
tricked into executing a malicious action in an application to
which a user is logged in. It exploits the trust a web application
has in an authenticated user.
“As a result, an attacker can craft a malicious email and
include an external image that when rendered exploits the CSRF
vulnerability without further interaction of a victim: the only
requirement is to have a victim open the malicious email.”
The disclosure comes a little over three months after another
nine-year-old bug[3]
in the software came to light, which could permit an adversary to
gain complete access to email accounts by previewing an attachment.
This issue has since been resolved as of March 2, 2022.
In light of the fact that Horde Webmail is no longer actively
maintained since 2017 and dozens
of security flaws[4]
have been reported in the productivity suite, users are recommended
to switch to an alternative service.
“With so much trust being placed into webmail servers, they
naturally become a highly
interesting target for attackers,” the researchers said.
“If a sophisticated adversary could compromise a webmail server,
they can intercept every sent and received email, access
password-reset links, sensitive documents, impersonate personnel
and steal all credentials of users logging into the webmail
service.”
References
- ^
report
(blog.sonarsource.com) - ^
CSRF
(en.wikipedia.org) - ^
nine-year-old bug
(thehackernews.com) - ^
dozens of security flaws
(srcincite.io)
Read more https://thehackernews.com/2022/06/new-unpatched-horde-webmail-bug-lets.html