[imp] Horde v 5.2.22 vulnerability – obfuscation via HTML encoding – XSS payload

Patrick Boutilier boutilpj at ednet.ns.ca
Mon Mar 24 17:17:03 UTC 2025



On 3/24/25 12:09 PM, Jens Wahnes wrote:
> Hi Patrick,
> 
> Patrick Boutilier wrote:
>> On 2025-03-24 07:16, Jens Wahnes wrote:
>>> One solution I found to filter out the malicious content from emails 
>>> like the one Nataša described was to tighten the code used to 
>>> sanitize HTML in e-mails. This is found in the imp/lib/Mime/Viewer/ 
>>> Html.php file. The code in the big "switch" statement of the "_node" 
>>> method, around line 435 or so, dealing with "case 'style'", can be 
>>> extended to call "removeChild($node)" not only in the sub-case of 
>>> 'text/css', as already present in the file, but also in the general 
>>> case. When I added a statement to that effect, the malicious code 
>>> from the email was no longer delivered to the browser. So that's a 
>>> solution others may want to try as well, assuming there will be no 
>>> official patch or newer version released by Horde maintainers.
> 
>> Can you provide a patch/diff file for your changes?
> It's this code here:
> https://github.com/horde/imp/pull/15/ 
> commits/51c4173489477692527748f46d35b568df686868

Slight typo there. Line 447 is missing $ at the start. Line 457 at 
https://github.com/horde/imp/pull/15/files


Thanks.

> 
> Jens
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: boutilpj.vcf
Type: text/vcard
Size: 352 bytes
Desc: not available
URL: <https://lists.horde.org/archives/imp/attachments/20250324/572072d2/attachment.vcf>


More information about the imp mailing list