The vulnerability was tested on latest version as stated here https://www.horde.org/download/imp, but with applied patches:
Horde 5.2.23
IMP 6.2.27
A vulnerability within Horde Web Client was discovered during the investigation. Exploiting this vulnerability has already been seen in the wild.
If an attacker crafts a specially prepared email, he/she can abuse this vulnerability to retrieve username, password and complete email database of a user mailbox.
*Details*
The content inside email header base64 encoded text/html boundary contains a specially crafted HTML.
Injecting a XSS payload inside an HTML attribute, namely the “onerror” event handler, the server-side checks does not sanitize the payload and does not detect HTML encoded characters. When the browser renders the page, it will decode and execute the injected payload.
The payload is injected at the end of the legit HTML content.
Example:
```
Hi...
Regards
```
To evade detection Unicode characters can be used:
For eval:
- \u{065} represents the Unicode character for the letter "e."
- \u{076} represents the Unicode character for the letter "v."
- \141 (octal) or \x6C (hexadecimal) represents the letter "a."
- \x6C represents the hexadecimal for the letter "l."
For atob:
- \u{61} represents the Unicode character for the letter "a."
- \u{74} represents the Unicode character for the letter "t."
- o is a regular character.
- \142 (octal) represents the letter "b."
Example:
```
Hi...
Regards
```
The “nonexsisting.png” image is searched inside /imp, since it does not exist the “onerror” content is executed.
A specially crafted JavaScript code inside the *'base64 encoded JavaScript'* is executed.
This kind of crafted email is a zero-click attack, where no click is needed from a user side other then looking this email in the Horde web client.