| Summary | Remote images are loaded when they should be blocked |
| Queue | IMP |
| Queue Version | FRAMEWORK_5_2 |
| Type | Bug |
| State | Feedback |
| Priority | 2. Medium |
| Owners | ralf.lang (at) ralf-lang (dot) de |
| Requester | wahnes (at) uni-koeln (dot) de |
| Created | 10/12/2022 (949 days ago) |
| Due | |
| Updated | 05/18/2025 (today) |
| Assigned | 05/18/2025 (today) |
| Resolved | |
| Milestone | |
| Patch | Yes |
Assigned to Ralf Lang
commit ee707638d5f0c780fd83238690f2d2efe34999ed
Author: Ralf Lang <ralf.lang@ralf-lang.de>
Date: Sun, 18 May 2025 15:12:56 +0200
Release 7.0.0-alpha14 (API Version: 7.0.0-alpha1)
fix: Convert lib/ autoloader to classmap and introduce PSR-4 src/ namespace
fix: only encrypt for own key if 'save_sent' is activated (Mahdi
Pasche, B1 Systems GmbH)
fix: Fix in HTML Viewer (Torben Dannhauer)
fix: Horde Bug 15122: Fix privacy issue with remote images being
loaded despite user's preference not to load remote images. May have
security consequences, too. (contributed by Jens Wahnes).
M .horde.yml
M composer.json
R doc/CHANGES
M doc/changelog.yml
M lib/Application.php
R package.xml
https://github.com/horde/imp/commit/ee707638d5f0c780fd83238690f2d2efe34999ed
commit 891814ff4e9f6966641687ff869d9d39cd38d41a
Author: Wahnes <61080908+Wahnes@users.noreply.github.com>
Date: Sun, 18 May 2025 14:57:25 +0200
fix: Horde Bug 15122: Fix privacy issue with remote images being
loaded despite user's preference not to load remote images. May have
security consequences, too. (contributed by Jens Wahnes).
This fixes an old bug from the Horde bug tracker, see
https://bugs.horde.org/ticket/15122
As detailed in an article about yet another security issue there, the
loading to remote images may have security implications. So this is a
precaution to avoid any such issues.
M lib/Mime/Viewer/Html.php
https://github.com/horde/imp/commit/891814ff4e9f6966641687ff869d9d39cd38d41a
Priority ⇒ 2. Medium
New Attachment: imp-block-loading-of-remote-images-via-picture-source-srcset.patch
Patch ⇒ Yes
Milestone ⇒
Summary ⇒ Remote images are loaded when they should be blocked
Type ⇒ Bug
State ⇒ Unconfirmed
Queue ⇒ IMP
an HTML email, unless the user requests that remote images be loaded.
Blocking of remote image loading happens primarily when there is HTML
code such as "<img src='http://www.example.com/picture.jpg'>" inside
the HTML message.
In a recent report about a Horde vulnerability, which was focused on
another problem, it was also mentioned that this feature of blocking
remote image loading can easily be circumvented by using more
elaborate HTML code. As detailed at
<https://blog.sonarsource.com/horde-webmail-rce-via-email/>, remote
images are in fact loaded when using a HTML constuct that looks like
this: "<picture><source srcset='...'></picture>".
To verify this, I set up a test HTML email that uses this "<picture>"
trick. The image referenced in the HTML mail is indeed fetched from
the remote server when this email is opened in Imp, even if the
setting to block the loading of remote images is in place. If you
like, I can share this test email with you.
The attached patch tries to fix this flaw by applying a similar
blocking pattern to HTML "source" elements as is already applied to
"img" elements. This code may need some more polishing to meet Horde's
standards, but it does solve this issue when opening the test email.
Note that this issue may not only have privacy implications, but in
special cases may also have security implications, as outlined in the
blog post.