[Tickets #15122] Remote images are loaded when they should be blocked

noreply at bugs.horde.org noreply at bugs.horde.org
Wed Oct 12 13:08:20 UTC 2022 

BITTE NICHT AUF DIESE NACHRICHT ANTWORTEN. NACHRICHTEN AN DIESE  
E-MAIL-ADRESSE WERDEN NICHT GELESEN.

Ticket-URL: https://bugs.horde.org/ticket/15122
------------------------------------------------------------------------------
  Ticket           | 15122
  Erstellt Von     | wahnes at uni-koeln.de
  Zusammenfassung  | Remote images are loaded when they should be blocked
  Warteschlange    | IMP
  Version          | FRAMEWORK_5_2
  Typ              | Bug
  Status           | Unconfirmed
  Priorität        | 2. Medium
  Milestone        |
  Patch            | 1
  Zuständige       |
------------------------------------------------------------------------------


wahnes at uni-koeln.de (2022-10-12 13:08) hat geschrieben:

By default, Imp blocks the loading of images from a remote server in  
an HTML email, unless the user requests that remote images be loaded.
Blocking of remote image loading happens primarily when there is HTML  
code such as "<img src='http://www.example.com/picture.jpg'>" inside  
the HTML message.

In a recent report about a Horde vulnerability, which was focused on  
another problem, it was also mentioned that this feature of blocking  
remote image loading can easily be circumvented by using more  
elaborate HTML code. As detailed at  
<https://blog.sonarsource.com/horde-webmail-rce-via-email/>, remote  
images are in fact loaded when using a HTML constuct that looks like  
this: "<picture><source srcset='...'></picture>".

To verify this, I set up a test HTML email that uses this "<picture>"  
trick. The image referenced in the HTML mail is indeed fetched from  
the remote server when this email is opened in Imp, even if the  
setting to block the loading of remote images is in place. If you  
like, I can share this test email with you.

The attached patch tries to fix this flaw by applying a similar  
blocking pattern to HTML "source" elements as is already applied to  
"img" elements. This code may need some more polishing to meet Horde's  
standards, but it does solve this issue when opening the test email.  
Note that this issue may not only have privacy implications, but in  
special cases may also have security implications, as outlined in the  
blog post.



wahnes at uni-koeln.de (2022-10-12 13:08) hat hochgeladen:  
imp-block-loading-of-remote-images-via-picture-source-srcset.patch

https://bugs.horde.org/h/services/download/?app=whups&actionID=download_file&file=imp-block-loading-of-remote-images-via-picture-source-srcset.patch&ticket=15122&fn=%2Fimp-block-loading-of-remote-images-via-picture-source-srcset.patch

More information about the bugs mailing list