Horde Webmail Has Zero-Day RCE Bug – Will Not Be Patched

What if you have software with a vulnerability that will not be patched? What does this mean?

 

RCE means Remote Code Execution which means the attacker does not have to be on the system to exploit it (this is the most dangerous attack).

If you are running Horde webmail to check your email – then it is time to stop. the developers of Horde  are not updating the software anymore.  from the Horde maintainers web site:  https://www.horde.org/apps/webmail/docs/RELEASE_NOTES


The Horde Team is pleased to announce the final release of the Horde Groupware

Webmail Edition version 5.2.22.


Horde Groupware Webmail Edition is a free, enterprise ready, browser based


communication suite. Users can read, send and organize email messages with four


different webmail interfaces and manage and share calendars, contacts, tasks,


notes, files, and bookmarks with the standards compliant components from the


Horde Project.


This announcement unfortunately means you can no longer use this software as it has an RCE bug which means if you use Horde you will be hacked (eventually).

Some are referring this issue as Abandonware.

The programmers did this open source project without getting paid for it (unless someone voluntarily gave money, so it eventually died out.

For open source software to work it has to have a large following and some momentum behind it. Otherwise this kind of thing happens. Not all programmers love the program so much to do it for free forever. Especially if there is  a security bug that might take a while to fix (not that I know why Horde developers did this?).

The only indication we have is from the portswigger article

Horde Webmail contains zero-day RCE bug with no patch on the horizon

And the relevant sentence:

A patch for the remote code execution (RCE) vulnerability in the open source platform may never surface given that the current version, which contains the flaw, has been flagged by the maintainers as the final release.

Sonar researchers have therefore advised users to abandon Horde Webmail.

Thus if you are using Horde Webmail even in the Cpanel or inside other software you have to abandon it. uninstall and use something else.

 

Contact me to discuss Abandonware or try to convince your friend that they need to check if they have Horde email and uninstall it. be the CyberCrowd and help others see IT complexities

 

 

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.