CySecurity News – Latest Information Security and Hacking Incidents
A nine-year-old unsecure security flaw in the Horde Webmail functionality might be exploited to acquire total access to the email accounts merely by viewing an attachment. Horde Webmail is a Horde project-developed free, enterprise-ready, browser-based communication package. Universities and government institutions use this webmail option extensively.
According to Simon Scannell, a vulnerability researcher at SonarSource, “it provides the hackers to gain access to all confidential and possibly classified documents a user has recorded in an email address and might allow them to obtain further access to an organization’s internal services.”
SonarSource detected a stored Xss attack which was implemented with commit 325a7ae, which was 9 years ago. Since the commit on November 30, 2012, the bug has affected all versions. The vulnerability can be exploited by previewing a specially designed OpenOffice document and allowing a malicious JavaScript payload to be executed. The attacker can take all emails sent and received by the victim by exploiting the flaw.
“An attacker can create an OpenOffice document which will launch a malicious JavaScript payload when converted to XHTML by Horde for preview.” the report continues “When a targeted person sees an attached OpenOffice document in the browser, the vulnerability is activated.” according to SonarSource experts.
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: