Horde Webmail Vulnerability Discovered: Temporarily Disabled on All cPanel Servers

Due to a critical security flaw in the Horde webmail application, we’ve temporarily disabled Horde across all shared and managed cPanel servers to protect our clients. This decision comes in light of a long-standing vulnerability that could allow attackers to gain full access to your email account—simply by previewing an attachment.

For businesses and individuals in Ghana and beyond who rely on webmail for daily communication, this serves as a serious reminder of the importance of staying ahead of security threats. In this update, we explain the nature of the vulnerability, how it works, and the steps we’ve taken to safeguard your data.

We’ve been in contact with cPanel. They may patch Horde in the coming weeks, but we haven’t received any official date from their side as to when it could be fixed. You can be certain you’ll know as soon as we do.

Details of the vulnerability

This is a nine-year-old unpatched security vulnerability in the Horde’s software that could be abused to gain complete access to email accounts simply by previewing an attachment. Talk about sleeper agent.

While a preview may seem innocuous, complete access to your email account and sensitive emails is something that’ll lead to serious implications for you and your business.

The flaw was unwittingly introduced on 30 November 2012, when faulty code was published by Horde developers that allows what’s called a Stored cross-site scripting (XSS) vulnerability, AKA Persistent XSS.

Stored cross-site scripting

A Stored/Persistent XSS vulnerability means a flaw is present in the actual website code which is stored on the web servers. Therefore, the insecure code fetched and present in the site every time anyone visits it in their browser.

This allows a hacker to find the flaw and send a malicious XSS payload to a web server that runs the vulnerable software, to trigger the vulnerability to execute their payload in anyone’s browser.

Horde vulnerability – how it works

This defect specifically, allows an attacker to put a malicious JavaScript payload in an OpenOffice document and say email it to victims. This places the malicious file on mail servers that also run the faulty Horde application, which allows the flawed code to automatically be triggered.

The victims are those who use the Horde email client to view their emails in their browser. When these unsuspecting users simply preview the seemingly harmless OpenOffice document, it triggers the vulnerability and executes the XSS payload in the document, giving the hacker access to everything the victim sends and receives.

It could be a lot worse even. If an administrator falls victim to the malicious payload, the attacker can assume control of everything the admin has access to i.e. the entire webmail server.

When was it reported?

The loophole was originally spotted and reported on August 26, 2021, to the project maintainers. To date, no fixes have been shipped despite their knowing about and confirming their knowledge about the flaw.

We’ve secured our clients

Again, in the meantime, we’ve disabled Horde on shared and managed cPanel servers. We won’t risk your security. We’ll keep you posted on any further updates.