Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label XHTML Code. Show all posts

Horde Webmail Software has a 9-year-old Unsecure Email Theft Risk

 

A nine-year-old unsecure security flaw in the Horde Webmail functionality might be exploited to acquire total access to the email accounts merely by viewing an attachment. Horde Webmail is a Horde project-developed free, enterprise-ready, browser-based communication package. Universities and government institutions use this webmail option extensively. 

According to Simon Scannell, a vulnerability researcher at SonarSource, "it provides the hackers to gain access to all confidential and possibly classified documents a user has recorded in an email address and might allow them to obtain further access to an organization's internal services." 

SonarSource detected a stored Xss attack which was implemented with commit 325a7ae, which was 9 years ago. Since the commit on November 30, 2012, the bug has affected all versions. The vulnerability can be exploited by previewing a specially designed OpenOffice document and allowing a malicious JavaScript payload to be executed. The attacker can take all emails sent and received by the victim by exploiting the flaw. 
"An attacker can create an OpenOffice document which will launch a malicious JavaScript payload when converted to XHTML by Horde for preview." the report continues "When a targeted person sees an attached OpenOffice document in the browser, the vulnerability is activated." according to SonarSource experts.

Worse, if an executive account with a personalized, phishing email is successfully hacked, the attacker might use this unprecedented access to take control of the entire webmail service. Despite the vendor's confirmation of the problem, no fixes have been given to the project managers as of August 26, 2021. Horde was contacted for more comments, but none were made to address the situation.

Meanwhile, Horde Webmail users should deactivate the rendering of OpenOffice attachments by adding the 'disable' => true configuration option to the OpenOffice mime handler in the config/mime drivers.php file.

MyBB CAPTCHA Flaw Breaks Forum Validation Checks

 

MyBB has issued a warning to users that the latest version of the programme contains a CAPTCHA-breaking flaw that may affect forum functioning. 

The popular open-source software serves as the foundation for thousands of online forums. However, in June, version 1.8.27 accidentally introduced a programming vulnerability that affects CAPTCHA verification systems enabled by users. 

The project's developers warned on October 3 that the problem affects reCAPTCHA v3 and hCaptcha invisible, two services meant to prevent harmful bots from flooding web pages with false traffic. According to the MyBB developers, validation efforts performed using CAPTCHAs, when applied on a forum, “appear broken and the verification can reject or accept attempts incorrectly”. 

The problem, which has been reported on GitHub, was caused by the usage of the incorrect template and handlers for the CAPTCHAs. Incorrect pointers in reCAPTCHA v3 have resulted in a faulty image verification prompt, possibly allowing the system to be circumvented. 

In the context of hCaptcha, the incorrect handler may cause the feature to refuse all challenges. MyBB advises that users move to an alternative technique for applying CAPTCHAs on their forums temporarily or manually apply forthcoming updates available on GitHub. 

Version 1.8.27 is presently being stabilized, and a fix will be included in the next maintenance release.

Examine the builds 

In addition to the CAPTCHA fix, MyBB has requested forum managers to check their error logging configurations. A read-only feature released in MyBB 1.8.27 requires XHTML code validation as it is created to give forum administrators a chance to notice any errors in a configuration error report– ahead of the planned full release of this feature. 

Customized MyCodes, plugins, theme templates, or username styles that are incompatible with the next version may cause problems in the next build. 

The developers stated, “After upgrading, validation errors will continue to be logged, but messages with problematic MyCode will not be displayed to prevent potential XSS attacks against your forums.”