[horde] [announce] [SECURITY] XSS vulnerability in Horde_Mime_Viewer_Ooo
SZÉPE Viktor
viktor at szepe.net
Wed Mar 2 09:33:03 UTC 2022
Idézem/Quoting Frank Richter <frank.richter at hrz.tu-chemnitz.de>:
> Am 01.03.22 um 22:19 schrieb Jan Schneider:
>> The Horde Team is pleased to announce the final release of the
>> Horde_Mime_Viewer library version 2.2.3.
>>
>> Horde_Mime_Viewer is a library that provides rendering drivers for
>> MIME data.
>>
>> An XSS vulnerability in the Open Document viewer has been reported
>> by Simon Scannell from SonarSource. You can find the full report
>> and mitigation measures at
>> https://blog.sonarsource.com/horde-webmail-account-takeover-via-email
>>
>> Thanks to Simon Scannell for reporting this issue and for the
>> detailed report, and apologies for not releasing a fix within the
>> disclosure embargo.
>
> Thanks. Is the mentioned mitigation ('disable' => true in
> config/mime_drivers.php or better in mime_drivers.local.php)
> superfluous by this new version?
Hello Frank!
Everyone encouraging you to edit non-local files makes your next upgrade fail.
Files in a pear package will get overwritten thus your changes will disappear.
Make changes in local files!
:)
```
// https://blog.sonarsource.com/horde-webmail-account-takeover-via-email
$mime_drivers['ooo'] = array(
'disable' => true,
);
```
SZÉPE Viktor, webes alkalmazás üzemeltetés / Running your application
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
~~~
ügyelet 🌶️ hotline: +36-20-4242498 sms at szepe.net skype: szepe.viktor
Budapest, III. kerület
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6112 bytes
Desc: S/MIME Signature
URL: <https://lists.horde.org/archives/horde/attachments/20220302/b7bc49cc/attachment-0001.bin>
More information about the horde
mailing list