OX Dovecot Improper Attachment Handling Leading to Unintended File Indexing Vulnerability

A vulnerability exists in OX Dovecot due to a script provided for converting attachments to text, which improperly manages zip-style attachments. This flaw allows an attacker to use specially crafted OOXML documents to manipulate the indexing process, causing unintended files on the system to be indexed and included in Full Text Search (FTS) indexes. The vulnerability is present in OX Dovecot Pro versions 2.3.0 and 3.1.0, as well as OX Dovecot CE versions 2.4.0 and 2.4.1. The issue arises from the script's handling of zip-style attachments, which can be exploited by crafting specific OOXML documents.

Impact

Exploitation of this vulnerability allows for unintended files on the system to be indexed and subsequently included in FTS indexes, potentially leading to unauthorized access or exposure of sensitive information.

Remediation

Users are advised not to use the provided script for attachment handling. Instead, it is recommended to use an alternative method, such as FTS Tika. For those using OX Dovecot Pro 2.3.0, upgrading to version 2.4.3 or 3.1.3 is recommended.