[imp] Horde v 5.2.22 vulnerability – obfuscation via HTML encoding – XSS payload
Jens Wahnes
wahnes at uni-koeln.de
Mon Mar 24 17:51:42 UTC 2025
Patrick Boutilier wrote:
> On 3/24/25 12:09 PM, Jens Wahnes wrote:
>> Patrick Boutilier wrote:
>>> On 2025-03-24 07:16, Jens Wahnes wrote:
>>>> One solution I found to filter out the malicious content from emails
>>>> like the one Nataša described was to tighten the code used to
>>>> sanitize HTML in e-mails. This is found in the imp/lib/Mime/Viewer/
>>>> Html.php file. The code in the big "switch" statement of the "_node"
>>>> method, around line 435 or so, dealing with "case 'style'", can be
>>>> extended to call "removeChild($node)" not only in the sub-case of
>>>> 'text/css', as already present in the file, but also in the general
>>>> case. When I added a statement to that effect, the malicious code
>>>> from the email was no longer delivered to the browser. So that's a
>>>> solution others may want to try as well, assuming there will be no
>>>> official patch or newer version released by Horde maintainers.
>>
>>> Can you provide a patch/diff file for your changes?
>> It's this code here:
>> https://github.com/horde/imp/pull/15/
>> commits/51c4173489477692527748f46d35b568df686868
>
> Slight typo there. Line 447 is missing $ at the start. Line 457 at
> https://github.com/horde/imp/pull/15/files
Ah, thanks for spotting this. Should be fixed now.
I did that edit through Github's web editing feature, because I didn't
have a git client at hand. So it's more of a copy-and-paste of the code
I previously wrote.
Jens
More information about the imp
mailing list