A zero-day vulnerability in Horde Webmail enables attackers to take over the web server and pivot to compromising an organization’s other services, according to security researchers.
Documented by Swiss security firm Sonar (formerly SonarSource), the flaw’s abuse relies on an authenticated user of the targeted instance opening a malicious email sent by the attacker.
If they do so, they inadvertently trigger the exploit by executing arbitrary code on the underlying server.
Abandonware
A patch for the remote code execution (RCE) vulnerability in the open source platform may never surface given that the current version, which contains the flaw, has been flagged by the maintainers as the final release.
Sonar researchers have therefore advised users to abandon Horde Webmail.
Johannes Dahse, head of R&D at Sonar, said that a Shodan search had revealed more than 3,000 exposed Horde instances worldwide.
“Furthermore, it is integrated into cPanel,” he told The Daily Swig. “As webmail software does not need to be exposed to the internet, we believe that there are even more, internal instances. These instances can still be exploited as long as the email server of an organization is exposed.”
Horde Webmail, which is part of the Horde groupware, provides a browser-based email client and a server that acts as a proxy to the organization’s email server.
By compromising webmail servers, attackers “can intercept every sent and received email, access password-reset links, sensitive documents, impersonate personnel and steal all credentials of users logging into the webmail service,” according to a Sonar blog post by Simon Scannell, vulnerability researcher at Sonar.
CSRF
The Horde Webmail vulnerability (CVE-2022-30287) can be abused with a single GET request, which brings cross-site request forgery (CSRF) into play. “As a result, an attacker can craft a malicious email and include an external image that when rendered exploits the CSRF vulnerability,” Scannell explained.
Worse still, the victim’s clear-text credentials are also leaked to the attacker, potentially giving the adversary access to additional services used by the target organization – as demonstrated in the proof-of-concept video below.
The vulnerability exists in Horde Webmail’s default configuration and potentially lends itself to mass-exploitation, Sonar warns.
It alerted maintainers to the issue on February 2 and disclosed the flaw today (June 1), having notified the maintainers on May 3 that the 90-day disclosure deadline had passed.
Nevertheless, on March 2 Horde released a fix for a separate issue reported previously by Sonar and acknowledged the latest vulnerability report, according to Sonar.
Salutary lesson
The researchers point towards a lesson offered by the vulnerability, noting that it exists in PHP code, which typically uses dynamic types.
“In this case, a security sensitive branch was entered if a user-controlled variable was of the type array,” Scannell said. “We highly discourage developers from making security decisions based on the type of a variable, as it is often easy to miss language-specific quirks.”
Sonar last year documented a chained exploit in another open source webmail platform, Zimbra, that allowed unauthenticated attackers to gain control of Zimbra servers.
