Horde Webmail contains zero-day RCE bug with no patch on the horizon

Adam Bannister

01 June 2022 at 14:34 UTC

Updated: 06 June 2022 at 12:56 UTC

CSRF exploit requires person to open malicious e-mail

A zero-day vulnerability in Horde Webmail allows attackers to take over the internet server and pivot to compromising a company’s different providers, in line with safety researchers.

Documented by Swiss safety agency Sonar (previously SonarSupply), the flaw’s abuse depends on an authenticated person of the focused occasion opening a malicious e-mail despatched by the attacker.

If they achieve this, they inadvertently set off the exploit by executing arbitrary code on the underlying server.


A patch for the distant code execution (RCE) vulnerability in the open supply platform could by no means floor on condition that the present model, which contains the flaw, has been flagged by the maintainers as the last launch.

Sonar researchers have subsequently suggested customers to desert Horde Webmail.

Catch up on the latest cybersecurity research

Johannes Dahse, head of R&D at Sonar, mentioned {that a} Shodan search had revealed greater than 3,000 uncovered Horde situations worldwide.

“Furthermore, it’s built-in into cPanel,” he instructed The Daily Swig. “As webmail software program doesn’t have to be uncovered to the web, we consider that there are much more, inside situations. These situations can nonetheless be exploited so long as the e-mail server of a company is uncovered.”

Horde Webmail, which is a part of the Horde groupware, supplies a browser-based e-mail consumer and a server that acts as a proxy to the group’s e-mail server.

By compromising webmail servers, attackers “can intercept each despatched and acquired e-mail, entry password-reset hyperlinks, delicate paperwork, impersonate personnel and steal all credentials of customers logging into the webmail service,” in line with a Sonar blog post by Simon Scannell, vulnerability researcher at Sonar.


The Horde Webmail vulnerability (CVE-2022-30287) could be abused with a single request, which brings cross-site request forgery (CSRF) into play. “As a outcome, an attacker can craft a malicious e-mail and embrace an exterior picture that when rendered exploits the CSRF vulnerability,” Scannell defined.

Worse nonetheless, the sufferer’s clear-text credentials are additionally leaked to the attacker, doubtlessly giving the adversary entry to further providers utilized by the goal group – as demonstrated in the proof-of-concept video under.

The vulnerability exists in Horde Webmail’s default configuration and doubtlessly lends itself to mass-exploitation, Sonar warns.

It alerted maintainers to the challenge on February 2 and disclosed the flaw at this time (June 1), having notified the maintainers on May 3 that the 90-day disclosure deadline had handed.

Nevertheless, on March 2 Horde launched a repair for a separate challenge reported beforehand by Sonar and acknowledged the newest vulnerability report, in line with Sonar.

Salutary lesson

The researchers level in the direction of a lesson provided by the vulnerability, noting that it exists in PHP code, which generally makes use of dynamic varieties.

“In this case, a safety delicate department was entered if a user-controlled variable was of the kind array,” Scannell mentioned. “We extremely discourage builders from making safety selections primarily based on the kind of a variable, as it’s typically simple to overlook language-specific quirks.”

Sonar final yr documented a chained exploit in one other open supply webmail platform, Zimbra, that allowed unauthenticated attackers to realize management of Zimbra servers.

YOU MIGHT ALSO LIKE Patch released for cross-domain cookie leakage flaw in Guzzle


Related Posts