[horde] [announce] [SECURITY] XSS vulnerability in Horde_Mime_Viewer_Ooo

SZÉPE Viktor viktor at szepe.net
Wed Mar 2 10:07:40 UTC 2022 

Idézem/Quoting Frank Richter <frank.richter at hrz.tu-chemnitz.de>:

>> Idézem/Quoting Frank Richter <frank.richter at hrz.tu-chemnitz.de>:
>>
>>> Am 01.03.22 um 22:19 schrieb Jan Schneider:
>>>> The Horde Team is pleased to announce the final release of the  
>>>> Horde_Mime_Viewer library version 2.2.3.
>>>>
>>>> Horde_Mime_Viewer is a library that provides rendering drivers  
>>>> for MIME data.
>>>>
>>>> An XSS vulnerability in the Open Document viewer has been  
>>>> reported by Simon Scannell from SonarSource. You can find the  
>>>> full report and mitigation measures at  
>>>> https://blog.sonarsource.com/horde-webmail-account-takeover-via-email
>>>>
>>>> Thanks to Simon Scannell for reporting this issue and for the  
>>>> detailed report, and apologies for not releasing a fix within the  
>>>> disclosure embargo.
>>>
>>> Thanks. Is the mentioned mitigation ('disable' => true in  
>>> config/mime_drivers.php or better in mime_drivers.local.php)  
>>> superfluous by this new version?
>>
>> Everyone encouraging you to edit non-local files makes your next  
>> upgrade fail.
>> Files in a pear package will get overwritten thus your changes will  
>> disappear.
>> Make changes in local files!
> Yes, I did it already. My question was, if this change is  
> superfluous with Horde_Mime_Viewer library version 2.2.3.
> I checked it and it looks so – preview of ooo files is disabled.

Now Horde_Mime_Viewer mitigates this kind of attack.
So you may enable previews!

Remember, the only way to prevent all attacks is to use a typewriter.


SZÉPE Viktor, webes alkalmazás üzemeltetés / Running your application
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
~~~
ügyelet 🌶️ hotline: +36-20-4242498  sms at szepe.net  skype: szepe.viktor
Budapest, III. kerület




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6112 bytes
Desc: S/MIME Signature
URL: <https://lists.horde.org/archives/horde/attachments/20220302/be121b49/attachment.bin>

More information about the horde mailing list