[horde] XSS vulnerability via OpenOffice document preview
Louis-Philippe Allard
lp.allard.1 at gmail.com
Wed Feb 23 11:41:20 UTC 2022
Quoting Michael Menge <michael.menge at zdv.uni-tuebingen.de>:
> Hi,
>
> I was notified about an unpatched security vulnerability
> https://therecord.media/unpatched-bug-allows-takeover-of-horde-webmail-accounts-servers/
> that can be mitigated by disabling the preview for OpenOffice documents.
>
> In the article and the linked blog post. It is suggested to edit
> config/mime_drivers.php
> but IMHO creating a config/mime_drivers.local.php and setting
> "$mime_drivers['ooo']['disable'] = true;"
> should be better.
>
> Is there a ETR for a patch?
>
> Kind Regards
>
> Michael Menge
>
> --------------------------------------------------------------------------------
> Michael Menge Tel.: (49) 7071 / 29-70316
> Universität Tübingen Fax.: (49) 7071 / 29-5912
> Zentrum für Datenverarbeitung mail:
> michael.menge at zdv.uni-tuebingen.de
> Wächterstraße 76
> 72074 Tübingen
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/To unsubscribe,
> mail: horde-unsubscribe at lists.horde.org
This will probably be of little use, but I've come across many sites
that mistakenly instructed people to directly edit "*.php" insted of
making "*.local.php" copies. AFAIK the former will not sustain
upgrades and will need to be reset each time horde is upgraded...
For the proposal to disable, OpenOffice preview, I will leave devs jump in.
More information about the horde
mailing list