# Title: Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails <=
v5.2.22
# Date: 17.05.2019
# Author: Numan OZDEMIR
# Vendor Homepage: https://www.horde.org/
# Version: Up to v5.2.22.
# CVE: CVE-2019-12094 & CVE-2019-12095
# root@numanozdemir.com && numan.ozdemir@infinitumit.com.tr
# PoC: https://numanozdemir.com/respdisc/horde/horde.mp4
# Materials: https://numanozdemir.com/respdisc/horde/materials.zip
# Description:
# Attacker can combine "CSRF vulnerability in Trean Bookmarks (defaultly
installed on Horde Groupware)" and
# "Stored XSS vulnerability in Horde TagCloud (defaultly installed)"
vulnerabilities to steal victim's emails.
# Also:
# Attacker can use 3 different reflected XSS vulnerability to exploit
Remote Command Execution, SQL Injection and Code Execution.
# To steal e-mails, attacker will send an e-mail to victim and victim
will click the attacker's website.
# So, victim's inbox will be dumped in attacker's FTP.
# All of them vulnerabillities are valid for all Horde Webmail versions.
# Attacker will exploit the CSRF and XSS with: index.html
# Attacker will steal and post the emails with: stealer.js
# Attacker will save the emails with: stealer.php
# index.html Codes: