Situation
Cross Site Scripting Vulnerability in Horde Webmail discovered in the Horde webmail.
Impact
A code vulnerability in Horde that allows an attacker to gain full access to the email account when it loads the preview of an OpenOffice document from an email attachment.
Call to Action
The vulnerability has no official patch, yet, from the Horde vendor. So you may either apply a workaround or switch webmail to Roundcube ( How to switch the webmail for a subscription?)
Warning: The patch disables OpenOffice documents to be rendered by the Horde.
Users will still be able to download the OpenOffice documents and view them locally, but Horde won’t attempt to render it in the browser.
Workaround for Linux
-
Connect to the server via SSH
-
Backup the original file
# cp /usr/share/psa-horde/config/mime_drivers.php{,.orig}
-
Edit file
/usr/share/psa-horde/config/mime_drivers.php
and add'disable' => true
configuration option into the OpenOffice mime handler as shown below:/* OpenOffice.org/StarOffice document display. */
'ooo' => array(
'disable' => true, // <---- ADD THIS HERE
'handles' => array(
'application/vnd.stardivision.calc',
'application/vnd.stardivision.draw',
Workaround for Windows
-
Connect to the server via RDP
-
Backup the original file
%plesk_dir%Webmailhordehordeconfigmime_drivers.php
-
Edit file with Notepad
%plesk_dir%Webmailhordehordeconfigmime_drivers.php
and add'disable' => true
configuration option into the OpenOffice mime handler as shown below:/* OpenOffice.org/StarOffice document display. */
'ooo' => array(
'disable' => true, // <---- ADD THIS HERE
'handles' => array(
'application/vnd.stardivision.calc',
'application/vnd.stardivision.draw',
Note: Thus, the vulnerable feature will not be used, and the Horde instance will be protected against exploitation of this vulnerability.