Home>Blog>The Hacker News Headlines>New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email
The Hacker News Headlines

New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email

A new unpatched security vulnerability has been disclosed in the
open-source Horde Webmail client that could be exploited to achieve
remote code execution on the email server simply by sending a
specially crafted email to a victim.

“Once the email is viewed, the attacker can silently take over
the complete mail server without any further user interaction,”
SonarSource said in a report[1]
shared with The Hacker News. “The vulnerability exists in the
default configuration and can be exploited with no knowledge of a
targeted Horde instance.”

The issue, which has been assigned the CVE identifier
CVE-2022-30287, was reported to the vendor on
February 2, 2022. The maintainers of the Horde Project did not
immediately respond to a request for comment regarding the
unresolved vulnerability.

CyberSecurity

At its core, the issue makes it possible for an authenticated
user of a Horde instance to run malicious code on the underlying
server by taking advantage of a quirk in how the client handles
contact lists.

This can then be weaponized in connection with a cross-site
request forgery (CSRF[2]) attack to trigger the
code execution remotely.

CSRF, also called session riding, happens when a web browser is
tricked into executing a malicious action in an application to
which a user is logged in. It exploits the trust a web application
has in an authenticated user.

“As a result, an attacker can craft a malicious email and
include an external image that when rendered exploits the CSRF
vulnerability without further interaction of a victim: the only
requirement is to have a victim open the malicious email.”

The disclosure comes a little over three months after another
nine-year-old bug[3]
in the software came to light, which could permit an adversary to
gain complete access to email accounts by previewing an attachment.
This issue has since been resolved as of March 2, 2022.

CyberSecurity

In light of the fact that Horde Webmail is no longer actively
maintained since 2017 and dozens
of security flaws[4]
have been reported in the productivity suite, users are recommended
to switch to an alternative service.

“With so much trust being placed into webmail servers, they
naturally become a highly

interesting target for attackers,” the researchers said.

“If a sophisticated adversary could compromise a webmail server,
they can intercept every sent and received email, access
password-reset links, sensitive documents, impersonate personnel
and steal all credentials of users logging into the webmail

service.”

References

  1. ^
    report
    (blog.sonarsource.com)
  2. ^
    CSRF
    (en.wikipedia.org)
  3. ^
    nine-year-old bug
    (thehackernews.com)
  4. ^
    dozens of security flaws
    (srcincite.io)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.