6.0.0-beta1
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
9/19/25
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#5892] Linked attachment feature vulnerability
*
Your Email Address
*
Spam protection
Enter the letters below:
. ..__. __.. ..___. | || |(__ | | _/ |/\||__\.__)|/\|./__.
Comment
> The idea is that the server generate one unique id for each of the > email recipients, in such a way that the recipient could only open > his own attachment. Even if the attacker knows a valid id for his > evil file, that id should only work with his own horde account. For > the rest of the email recipients (who don't have accounts), there's > no problem, cause the main problem here is that the file is located > and run in the same domain of the recipient webmail account, that > makes possible the attack to happen. If you have the evil script > running on webmail.server1 and the victim has it's account on > webmail.server2, the script won't have the right permissions to XSS > the victim. > > For the "webmail.server1 attacker, webmail.server1 victim" problem, I > think that it's possible to check which attachment is "visible" to > which account. > > > >> But the attachments are sent to email _recipients_, who don't have > >> accounts. So how do you propose to enforce the uniqueness? The > >> attacker could send them any valid id. Secret doesn't matter. > >
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers