Horde Temporarily Disabled on all Servers
We’ve recently been made aware of a serious vulnerability that exists in the Horde mail application and have temporarily disabled Horde on all shared and managed cPanel servers.
As you know, security will always remain one of our top priorities. We’re constantly checking up on all software being used on our servers to stay ahead of any known security issues.
We’ve been in contact with cPanel. They may patch Horde in the coming weeks, but we haven’t received any official date from their side as to when it could be fixed. You can be certain you’ll know as soon as we do.
Details of the vulnerability
This is a nine-year-old unpatched security vulnerability in the Horde’s software that could be abused to gain complete access to email accounts simply by previewing an attachment. Talk about sleeper agent.
While a preview may seem innocuous, complete access to your email account and sensitive emails is something that’ll lead to serious implications for you and your business.
The flaw was unwittingly introduced on 30 November 2012, when faulty code was published by Horde developers that allows what’s called a Stored cross-site scripting (XSS) vulnerability, AKA Persistent XSS.
Stored cross-site scripting
A Stored/Persistent XSS vulnerability means a flaw is present in the actual website code which is stored on the web servers. Therefore, the insecure code fetched and present in the site every time anyone visits it in their browser.
This allows a hacker to find the flaw and send a malicious XSS payload to a web server that runs the vulnerable software, to trigger the vulnerability to execute their payload in anyone’s browser.
Horde vulnerability – how it works
This defect specifically, allows an attacker to put a malicious JavaScript payload in an OpenOffice document and say email it to victims. This places the malicious file on mail servers that also run the faulty Horde application, which allows the flawed code to automatically be triggered.
The victims are those who use the Horde email client to view their emails in their browser. When these unsuspecting users simply preview the seemingly harmless OpenOffice document, it triggers the vulnerability and executes the XSS payload in the document, giving the hacker access to everything the victim sends and receives.
It could be a lot worse even. If an administrator falls victim to the malicious payload, the attacker can assume control of everything the admin has access to i.e. the entire webmail server.
When was it reported?
The loophole was originally spotted and reported on August 26, 2021, to the project maintainers. To date, no fixes have been shipped despite their knowing about and confirming their knowledge about the flaw.
We’ve secured our clients
Again, in the meantime, we’ve disabled Horde on shared and managed cPanel servers. We won’t risk your security. We’ll keep you posted on any further updates.