CVE-2013-6364
📋 TL;DR
CVE-2013-6364 is a combined CSRF and XSS vulnerability in Horde Groupware Webmail Edition that allows attackers to execute arbitrary web scripts or perform unauthorized actions when users save searches as virtual address books. This affects all users of vulnerable Horde installations, potentially compromising email accounts and address book data. The vulnerability requires user interaction but can lead to account takeover.
💻 Affected Systems
- Horde Groupware Webmail Edition
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete account compromise leading to email data theft, further phishing attacks from compromised accounts, and potential lateral movement within the organization.
Likely Case
Attackers steal session cookies or authentication tokens, gaining unauthorized access to victim's email account and address book data.
If Mitigated
Limited impact with proper CSRF tokens, content security policies, and input validation in place.
🎯 Exploit Status
Exploit requires user to visit malicious page while authenticated to Horde. Public exploit code exists in Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Horde Groupware Webmail Edition 5.1.2 and later
Vendor Advisory: http://archives.neohapsis.com/archives/bugtraq/2013-11/0012.html
Restart Required: No
Instructions:
1. Backup current installation. 2. Download and install Horde Groupware Webmail Edition 5.1.2 or later from official Horde repository. 3. Verify installation completes successfully. 4. Test virtual address book functionality.
🔧 Temporary Workarounds
Disable Virtual Address Book Feature
allTemporarily disable the ability to save searches as virtual address books
Edit Horde configuration to remove or disable virtual address book functionality
Implement CSRF Protection
allAdd CSRF tokens to all forms and validate them server-side
Implement anti-CSRF tokens in Horde's form handling code
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to prevent XSS execution
- Use web application firewall rules to block suspicious address book operations
🔍 How to Verify
Check if Vulnerable:
Check Horde version via admin interface or by examining source files. Versions below 5.1.2 are vulnerable.Check Version:
Check Horde version in admin panel or examine horde/version.php fileVerify Fix Applied:
After patching, verify version is 5.1.2 or higher and test virtual address book functionality for proper input validation.📡 Detection & Monitoring
Log Indicators:
- Unusual virtual address book creation patterns
- Multiple failed CSRF token validations
- Suspicious referrer headers in address book requests
Network Indicators:
- Unusual POST requests to address book save endpoints
- Requests with missing or invalid CSRF tokens
SIEM Query:
source="horde_logs" AND ("virtual address book" OR "saveSearch") AND status="200" AND user_agent="*malicious*"🔗 References
- http://archives.neohapsis.com/archives/bugtraq/2013-11/0012.html
- http://www.exploit-db.com/exploits/29519
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6364
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6364
- https://security-tracker.debian.org/tracker/CVE-2013-6364
- https://www.securityfocus.com/archive/1/529589
- http://archives.neohapsis.com/archives/bugtraq/2013-11/0012.html
- http://www.exploit-db.com/exploits/29519
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6364
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6364
- https://security-tracker.debian.org/tracker/CVE-2013-6364
- https://www.securityfocus.com/archive/1/529589
