The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim’s webmail account by making them visit a malicious URL.
“Horde Groupware Webmail Edition is a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks and notes with the standards compliant components from the Horde Project. Horde Groupware Webmail Edition bundles the separately available applications IMP, Ingo, Turba, Kronolith, Nag, Mnemo, Gollem, and Trean.”. For more information visit http://www.horde.org/apps/webmail.
An authenticated user can attach a SVG image file to an email, once the upload of the file is finished the image will be available at [horde's webroot]/services/images/view.php?f=Horde<image_unique_code>
.
SVG files can contain JavaScript code, which is intepreted by the browser in case the user views the image directly (for example through the /services/images/view.php
endpoint mentioned above).
|
|
|
|
which translates to [horde's webroot]/services/images/view.php?f=Hordea0qj7I
;
An unauthenticated attacker might be able to gain access to the victim’s webmail by making them visit an SVG URL which triggers the stored XSS vulnerability.
The /services/images/view.php
now sets the Content-disposition: attachment
HTTP header, forcing the web browser to download the image.
Upgrade to Horde Groupware Webmail 5.2.22 or later.
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
This advisory was first published on https://www.shielder.com/advisories/horde-groupware-webmail-stored-cross-site-scripting-xss-via-svg/
Date
20 April 2020