[horde] [announce] [SECURITY] XSS vulnerability in Horde_Mime_Viewer_Ooo
Matus UHLAR - fantomas
uhlar at fantomas.sk
Wed Mar 2 11:48:10 UTC 2022
>>Am 01.03.22 um 22:19 schrieb Jan Schneider:
>>>The Horde Team is pleased to announce the final release of the
>>>Horde_Mime_Viewer library version 2.2.3.
>>>
>>>Horde_Mime_Viewer is a library that provides rendering drivers for
>>>MIME data.
>>>
>>>An XSS vulnerability in the Open Document viewer has been reported
>>>by Simon Scannell from SonarSource. You can find the full report
>>>and mitigation measures at https://blog.sonarsource.com/horde-webmail-account-takeover-via-email
>>>
>>>Thanks to Simon Scannell for reporting this issue and for the
>>>detailed report, and apologies for not releasing a fix within the
>>>disclosure embargo.
>Idézem/Quoting Frank Richter <frank.richter at hrz.tu-chemnitz.de>:
>>Thanks. Is the mentioned mitigation ('disable' => true in
>>config/mime_drivers.php or better in mime_drivers.local.php)
>>superfluous by this new version?
On 02.03.22 10:33, SZÉPE Viktor wrote:
>Everyone encouraging you to edit non-local files makes your next upgrade fail.
generally yes, but this particular case could be self-healing - after
security update the changes are reverted.
>Files in a pear package will get overwritten thus your changes will disappear.
>Make changes in local files!
>
>:)
>
>```
>// https://blog.sonarsource.com/horde-webmail-account-takeover-via-email
>$mime_drivers['ooo'] = array(
> 'disable' => true,
>);
>```
Shouldn't:
$mime_drivers['ooo']['disable'] = true;
be enough?
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.
More information about the horde
mailing list