Here's a WebmasterWorld exclusive because I just noticed it today, you won't see this vulnerability alert posted anywhere else.
Horde webmail is used by Plesk, which is how I discovered this problem from cutting and pasting text out of a Horde webmail screen into a blog editor. The blog post had been posted many days before I went back and to my horror, saw all of the links in the blog post were redirecting back through my webmail account!
Normally I notice those things and cut out the Horde redirect but in this instance it just slipped through the cracks.
Likewise, using the right mouse to "copy link location" from a link within a Horde email and pasting it will also result in exposing the same phishable redirector links if you aren't paying attention.
Horde uses a URL redirect filter (go.php) for all links included in the email to attempt to filter out certain bad things, for example a link in email to:
Would be turned into:
When I clicked on the links redirecting through Horde as shown above, they still worked, even in another browser, or on another machine!
What that means is anyone could phish for customers by using spam with something like this:
People reading the email would see my site in the URL and probably think it was safe to click through and that's when the fun starts.
This means people can use your Webmail server for all sorts of phishing exploits without ever hacking into your server, and your customers are particularly at risk of being phished to get account information. As a matter of fact, the URL could even be used to post spam on some other insecure site, loads of fun.
To fix the problem I dug through Horde and make a quick and dirty patch to fix the problem so anyone not logged into webmail will get the Horde login screen to avoid phish attempts.
Here's a sample of the quick patch I made to Horde on Plesk.
Edit the Horde file "go.php" that in Linux with Plesk may typically be located at:
Add the following line below the header comments in go.php but above all the other code in the file:
|require_once '/usr/share/psa-horde/imp/lib/base.php'; |
Remember, this is a quick and dirty patch and that path was the same on two of my Linux servers but yours may be different. From the Linux command line use "locate base.php" to find the explicit path to the code on your server and use that explicit path.
That will stop anyone that figures out you're using Plesk or Horde in general from using your own site as a phish pharm.
If you're using a Plesk host, you might want to ask your hosting company to apply this patch to save your site from phishing as it requires root access to the server to implement this change.
Hope this helps to secure your site.
[edited by: incrediBILL at 4:22 am (utc) on Aug. 11, 2008]