[horde] [announce] [SECURITY] XSS vulnerability in Horde_Mime_Viewer_Ooo
Jan Schneider
jan at horde.org
Wed Mar 2 21:11:30 UTC 2022
Zitat von Matus UHLAR - fantomas <uhlar at fantomas.sk>:
>>> Am 01.03.22 um 22:19 schrieb Jan Schneider:
>>>> The Horde Team is pleased to announce the final release of the
>>>> Horde_Mime_Viewer library version 2.2.3.
>>>>
>>>> Horde_Mime_Viewer is a library that provides rendering drivers
>>>> for MIME data.
>>>>
>>>> An XSS vulnerability in the Open Document viewer has been
>>>> reported by Simon Scannell from SonarSource. You can find the
>>>> full report and mitigation measures at
>>>> https://blog.sonarsource.com/horde-webmail-account-takeover-via-email
>>>>
>>>> Thanks to Simon Scannell for reporting this issue and for the
>>>> detailed report, and apologies for not releasing a fix within the
>>>> disclosure embargo.
>
>> Idézem/Quoting Frank Richter <frank.richter at hrz.tu-chemnitz.de>:
>>> Thanks. Is the mentioned mitigation ('disable' => true in
>>> config/mime_drivers.php or better in mime_drivers.local.php)
>>> superfluous by this new version?
>
> On 02.03.22 10:33, SZÉPE Viktor wrote:
>> Everyone encouraging you to edit non-local files makes your next
>> upgrade fail.
>
> generally yes, but this particular case could be self-healing -
> after security update the changes are reverted.
>
>> Files in a pear package will get overwritten thus your changes will
>> disappear.
>> Make changes in local files!
>>
>> :)
>>
>> ```
>> // https://blog.sonarsource.com/horde-webmail-account-takeover-via-email
>> $mime_drivers['ooo'] = array(
>> 'disable' => true,
>> );
>> ```
>
> Shouldn't:
> $mime_drivers['ooo']['disable'] = true;
Correct. Or simply:
unset($mime_drivers['ooo']);
--
Jan Schneider
The Horde Project
https://www.horde.org/
More information about the horde
mailing list