Horde Webmail flaw can allow hackers to gain control by sending an email

June 7, 2022
Horde Webmail Flaw Vulnerability Exploit Hackers Email

A newly discovered security flaw has been found in the open-source Horde Webmail client, which hackers can exploit to gain control and perform remote code execution (RCE) on the email server by sending a malicious email to a victim.

According to researchers, if the victim views the malicious email, the adversary can elusively take complete control of the mail server without user interaction. The flaw exists in the default configuration and can be abused by hackers without a known targeted Horde instance.

 

The Horde Webmail admins were aware of the issue but did not do anything to address the problem.

 

Researchers tracked the exploit as CVE-2022-30287, and it was reported to the Horde vendor last February. However, the admins of groupware firm have not responded immediately to the addressed concern of the researchers.

The attack can enable authenticated users of a Horde instance to operate malicious code on the underlying server by exploiting a quirk in how the client manages contact lists.

The hackers can also weaponise this issue with a cross-site request forgery attack to trigger the code execution. Cross-site request forgery is also called session riding, which occurs when a web browser is deceived into activating a malicious action in an application to which a user is logged in.

The forgery also abuses the trust a web application gives to an authorised user. As a result, an actor can design a compromised email and include an external image that, when rendered, exploits the forgery flaw without further transaction with a victim user. The only requirement to execute this flaw is that the victim should open the malicious email sent by the actors.

This issue came after researchers discovered a nearly decade-old flaw in the software that allows a threat actor to acquire complete access to email accounts by previewing an attachment. This issue was solved by a security team last March.

Since the Horde Webmail stopped its active maintenance in 2017, and new security vulnerabilities have been constantly reported on the productivity site, the experts recommend that Horde users find an alternative service with the same function to avoid an attack.

About the author

Leave a Reply