In mid-July 2023, two critical security vulnerabilities were discovered in Benno MailArchiv.
One problem concerns a critical XSS vulnerability (Cross Site Scripting), the other is a critical XSRF vulnerability (Cross-Site Request Forgery).

CVE numbers were assigned for the two security vulnerabilities:

  • CVE-2023-38347 (for the XSS vulnerability)
  • CVE-2023-38348 (for the XSRF vulnerability)

Solution:

Please update your Benno MailArchiv installation promptly to the latest version! By installing the packages benno-web (version 2.10.2) and benno-rest (version 2.10.1) the two relevant components are updated. The two critical security vulnerabilities are closed therein.

Important note on the update:

The update enforces the use of HTTPS (i.e., SSL-encrypted http) for the WebApp directly from the installation!
After the update, a login to the Benno WebApp is only possible via HTTPS!

There is still the possibility to use login for HTTP (unencrypted). However, this must be activated explicitly. In this article in the Benno Wiki, the activation of Plaintext HTML Login is explained: https://wiki.benno-mailarchiv.de/doku.php/http_plaintext_access

WARNING – IMPORTANT:
The XSS vulnerability is only effectively closed by using HTTPS
If the installation is manually switched to Plaintext HTML Login as described above, the XSS security vulnerability remains effective and the server is again vulnerable to attack via the security vulnerability!

Further information on the two critical security vulnerabilities:

Regarding CVE-2023-38347 (XSS vulnerability):
The Benno WebApp displays emails in the web interface without filtering. Before displaying HTML code, it is not examined for malicious JavaScript code, etc., or filtered out.
If an archived email contains targeted, malicious JavaScript code and is displayed by a user in the Benno WebApp, the JavaScript code can access the session cookie, read it, and transmit the information to the attacker. An attacker could, for example, exfiltrate the Benno MailArchiv access data of the affected user and gain access to the mail archive (if reachable via the internet). It would also be possible to change the password of the logged-in Benno WebApp user. (This attack vector is limited to the lifetime of the session cookie. Closing the victim's web browser invalidates the session cookie).
In the benno-web package, cookie handling has been changed by extending the httponly mode and using secure cookies. A CSRF token has been added to the forms in benno-web. This allows the web server to determine whether a form submission came from a legitimate user via their browser or not. With the updated version of benno-web and benno-rest, this XSS security vulnerability is closed. Before displaying HTML-formatted emails, JavaScript code is now removed within benno-rest.

Regarding CVE-2023-38348 (XSRF vulnerability):
The XSRF security vulnerability allows an administrator to be directed to a prepared page via a link and then be tricked into changing their password or making other settings - which can then be accessed by the attacker. Attackers can use this "man-in-the-middle" approach to obtain access data and other features set by the administrator via the WebApp.
The benno-web package now uses CSRF tokens. When a user logs in, benno-web generates a CSRF token, which is managed in the session and expires after the session ends. benno-web adds this CSRF token to every web form (as a hidden tag) that causes changes to a database when submitted (e.g., changing passwords, adjusting users, etc.). When an administrator submits a change, the token is sent along and checked to see if it matches the one issued in the session. "Man-in-the-middle" attacks are thus effectively prevented in the future.
With the updated version of benno-web and benno-rest, this security vulnerability is closed.