[imp] Horde v 5.2.22 vulnerability – obfuscation via HTML encoding – XSS payload
Jens Wahnes
wahnes at uni-koeln.de
Mon Mar 24 15:09:24 UTC 2025
Hi Patrick,
Patrick Boutilier wrote:
> On 2025-03-24 07:16, Jens Wahnes wrote:
>> One solution I found to filter out the malicious content from emails
>> like the one Nataša described was to tighten the code used to sanitize
>> HTML in e-mails. This is found in the imp/lib/Mime/Viewer/Html.php
>> file. The code in the big "switch" statement of the "_node" method,
>> around line 435 or so, dealing with "case 'style'", can be extended to
>> call "removeChild($node)" not only in the sub-case of 'text/css', as
>> already present in the file, but also in the general case. When I
>> added a statement to that effect, the malicious code from the email
>> was no longer delivered to the browser. So that's a solution others
>> may want to try as well, assuming there will be no official patch or
>> newer version released by Horde maintainers.
> Can you provide a patch/diff file for your changes?
It's this code here:
https://github.com/horde/imp/pull/15/commits/51c4173489477692527748f46d35b568df686868
Jens
More information about the imp
mailing list