Horde Temporarily Disabled on all Web Servers
We’ve recently been made aware of a serious vulnerability that exists in the Horde mail application and have temporarily disabled Horde on all shared and managed cPanel servers.
As you know, security will always remain one of our top priorities. We’re constantly checking up on all software being used on our servers to stay ahead of any known security issues.
We’ve been in contact with cPanel. They may patch Horde in the coming weeks, but we haven’t received any official date from their side as to when it could be fixed. You can be certain you’ll know as soon as we do.
Details of the vulnerability
This is a nine-year-old unpatched security vulnerability in Horde’s software that could be abused to gain complete access to email accounts simply by previewing an OpenOffice attachment. Talk about sleeper agent.
While a preview may seem innocuous, complete access to your email account and sensitive emails is something that’ll lead to serious implications for you and your business.
The flaw was unwittingly introduced on 30 November 2012, when faulty code was published by Horde developers that allows what’s called a Stored cross-site scripting (XSS) vulnerability, AKA Persistent XSS.
Stored cross-site scripting
A Stored/Persistent XSS vulnerability means a flaw is present in the actual web application code which is stored on the web servers. Therefore, the insecure code is fetched and present in the site every time anyone visits it in their browser.
This allows a hacker to find the flaw and send a malicious XSS payload to a web server that runs the vulnerable software, to trigger the vulnerability to execute their payload in anyone’s browser.
Horde vulnerability – how it works
The victims are those who use the Horde email client to view their emails in their browser. When these unsuspecting users simply preview the seemingly harmless OpenOffice document, it triggers the vulnerability and executes the XSS payload in the document, giving the hacker access to everything the victim sends and receives.
It could be a lot worse even. If an administrator falls victim to the malicious payload, the attacker can assume control of everything the admin has access to i.e. the entire webmail server.
When was it reported?
The loophole was originally spotted and reported on August 26, 2021, to the project maintainers. To date, no fixes have been shipped despite their knowing about and confirming their knowledge about the flaw.
We’ve secured our clients
Again, in the meantime, we’ve disabled Horde on shared and managed cPanel servers. We won’t risk your security. We’ll keep you posted on any further updates.
- Guide to Cron Jobs
- Landing Page SEO Best Practices and Tips for Success
- Price Increase 2022
- 50+ GIT Commands with Downloadable Cheat Sheet
- 5 Ways to Stay on Budget with AWS
- Site Builder Part 1: Getting started
- 7 Reasons to Avoid Nulled WordPress Themes and Plugins
- 5 Reasons Why Mobile-Friendly Websites Boost Your Brand
- 100+ Linux Commands with Downloadable Cheat Sheet
- Deploy Kubernetes Cluster on Ubuntu 20.04 with Containerd