Articles in this section

See more

Cross Site Scripting Vulnerability in Horde Webmail

Avatar
Stefan Yakubov
Updated
Follow
Plesk for Windows Plesk for Linux kb: technical

Applicable to:

  • Plesk for Linux
  • Plesk for Windows

Situation

Cross Site Scripting Vulnerability in Horde Webmail discovered in the Horde webmail.

Impact

A code vulnerability in Horde that allows an attacker to gain full access to the email account when it loads the preview of an OpenOffice document from an email attachment.

Call to Action

The vulnerability has no official patch, yet, from the Horde vendor. So you may either apply a workaround or switch webmail to Roundcube ( How to switch the webmail for a subscription?)

Warning: The patch disables OpenOffice documents to be rendered by the Horde.
Users will still be able to download the OpenOffice documents and view them locally, but Horde won’t attempt to render it in the browser.

Workaround for Linux

  1. Connect to the server via SSH

  2. Backup the original file

    # cp /usr/share/psa-horde/config/mime_drivers.php{,.orig}

  3. Edit file /usr/share/psa-horde/config/mime_drivers.php and add 'disable' => true configuration option into the OpenOffice mime handler as shown below:

    /* OpenOffice.org/StarOffice document display. */
    'ooo' => array(
    'disable' => true, // <---- ADD THIS HERE
    'handles' => array(
    'application/vnd.stardivision.calc',
    'application/vnd.stardivision.draw',

Workaround for Windows

  1. Connect to the server via RDP

  2. Backup the original file %plesk_dir%\Webmail\horde\horde\config\mime_drivers.php

  3. Edit file with Notepad %plesk_dir%\Webmail\horde\horde\config\mime_drivers.php and add 'disable' => true configuration option into the OpenOffice mime handler as shown below:

    /* OpenOffice.org/StarOffice document display. */
    'ooo' => array(
    'disable' => true, // <---- ADD THIS HERE
    'handles' => array(
    'application/vnd.stardivision.calc',
    'application/vnd.stardivision.draw',

Note: Thus, the vulnerable feature will not be used, and the Horde instance will be protected against exploitation of this vulnerability.

Comments

1 comment

Sort by Date Votes
  • Avatar
    Bob Benson (Edited )

    I'm just hearing about this vulnerability now, because another Horde vulnerability was recently announced...

    https://blog.sonarsource.com/horde-webmail-rce-via-email/

    I am subscribed to Plesk news and notifications.  I believe, since action was necessary (install workaround or switch webmail), I should have been notified by Plesk via email.

    Additionally, the "Here is something worth paying attention to." section at the top of the Plesk Panel home page would have been a good place to put a link to this support article. 

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles