[imp] Horde v 5.2.22 vulnerability – obfuscation via HTML encoding – XSS payload

Jens Wahnes wahnes at uni-koeln.de
Mon Mar 24 15:09:24 UTC 2025


Hi Patrick,

Patrick Boutilier wrote:
> On 2025-03-24 07:16, Jens Wahnes wrote:
>> One solution I found to filter out the malicious content from emails 
>> like the one Nataša described was to tighten the code used to sanitize 
>> HTML in e-mails. This is found in the imp/lib/Mime/Viewer/Html.php 
>> file. The code in the big "switch" statement of the "_node" method, 
>> around line 435 or so, dealing with "case 'style'", can be extended to 
>> call "removeChild($node)" not only in the sub-case of 'text/css', as 
>> already present in the file, but also in the general case. When I 
>> added a statement to that effect, the malicious code from the email 
>> was no longer delivered to the browser. So that's a solution others 
>> may want to try as well, assuming there will be no official patch or 
>> newer version released by Horde maintainers.

> Can you provide a patch/diff file for your changes?
It's this code here:
https://github.com/horde/imp/pull/15/commits/51c4173489477692527748f46d35b568df686868

Jens



More information about the imp mailing list