XSS Vulnerability on Identity configuration (and on "edit as new" function)

[rcubetrac]

Reported by und3r on 18 Jul 2013 04:47 UTC as Trac ticket #1489251

Hi,

i've found a XSS Vulnerability inside the "identity" configuration page. Into the "Sign" textarea, enabling HTML Sign, i've click on "HTML" button on the editor and i've write this HTML code:

testasd

once you save it, when you move your mouse on the word "asd", the JavaScript "alert(document.cookie)" will be executed by the client. Every time you visit the "identity configuration page" the XSS is active.

hope this can help,
thank you.

Andrea Menin
[email protected]

Keywords: XSS
Migrated-From: http://trac.roundcube.net/ticket/1489251

[rcubetrac]

Comment by und3r on 18 Jul 2013 05:11 UTC

i forgot, when you save the new "html sign" and write a new html mail, the XSS is still present and when you move your mouse over the sign, the JavaScript XSS code will be executed by the client (see the attachment roundcube_XSS_2.jpg).

[rcubetrac]

Comment by dennis1993 on 18 Jul 2013 08:49 UTC

It works in my Installation, too.

I've tested a little bit. Create a group in your addressbook with this Name: <script>alert('test');</script>

If you click on this group after creation, the JavaScript code will be executed. If you will rename this group, the name looks like that:

<script>alert('test');</script>

But now it's to late :)

[rcubetrac]

Comment by und3r on 18 Jul 2013 09:15 UTC

I've tested a little bit. Create a group in your addressbook with this Name: <script>alert('test');</script>

it does not work for me on the address book group . Have you got the last version 0.9.2?

-Andrea

[rcubetrac]

Comment by dennis1993 on 18 Jul 2013 09:28 UTC

Oh, I see, I have installed the "Roundcube Webmail 1.0-git" for my tests. In this version I can execute the Javascript.

I installed 0.9.2 for a few minutes and the same code is not executable. That's funny xD

If you download the current master from github you can execute the Javascript in addressbook.

[rcubetrac]

Comment by und3r on 18 Jul 2013 09:47 UTC

If you download the current master from github you can execute the Javascript in addressbook.

d'oh! :) so the XSS vulne inside the "signature" is also present into the 1.0-git ?

-Andrea

[rcubetrac]

Comment by dennis1993 on 18 Jul 2013 10:40 UTC

Yes, I can execute with the following text the Javascript code in the signature:

mouseover-text

maybe is this supposed to be like that. :-) I don't know.

[rcubetrac]

Comment by @thomascube on 18 Jul 2013 15:57 UTC

Is this really XSS when it only affects your very own account? Can you make the scripts to be executed by somebody else not using your login?

Nevertheless, we should filter the HTML source of signatures when saving as we can't be sure the receiving end will properly filter it.

[rcubetrac]

Comment by dennis1993 on 18 Jul 2013 17:20 UTC

@thomasb: Yes, that's right. It is not possible to filter all Content from the users.

But one question: why work XSS at once in the addressbook in the current GIT-master?
I have explained that in comment:3

[rcubetrac]

Comment by und3r on 18 Jul 2013 22:55 UTC

Can you make the scripts to be executed by somebody else not using your login?

@thomasb: sure, for example if i write you an email that contains this "malicious" javascript code, and you click on "edit as new" the javascript will be executed by the client!!

i've make a test by sending this mail to my account:

HELO init.it
MAIL FROM: [email protected]
RCPT TO: [email protected]
DATA
From: Andrea <[email protected]>
To: [email protected]
Subject: test      
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="iso-8859-1"

<b onmouseover=alert(document.cookie)>asd</b>

.

see the attachment "edit_as_new_1.jpg" and "edit_as_new_2.jpg" for more details.
sorry but, i call this "XSS Vulnerability" :)

-Andrea

[rcubetrac]

Summary changed by und3r on 18 Jul 2013 23:06 UTC

XSS Vulnerability on Identity configuration

XSS Vulnerability on Identity configuration (and on "edit as new" function)

[rcubetrac]

Comment by @thomascube on 25 Jul 2013 20:25 UTC

I see. So it's not just an identity/signature issue but we generally lack HTML filtering when editing a message "as new".

[rcubetrac]

Comment by und3r on 26 Jul 2013 07:36 UTC

@thomasb yes, sorry. This kind of problem is present in all parts where there is the "MCE" editor (or, more specifically, where there is a <textarea> with the CSS class "mce_editor").

-Andrea

[rcubetrac]

Comment by @alecpl on 1 Aug 2013 12:54 UTC

Fixed in 93b0a30

[rcubetrac]

Status changed by @alecpl on 1 Aug 2013 12:54 UTC

new => closed

[rcubetrac]

Comment by @thomascube on 2 Aug 2013 15:43 UTC

Replying to thomasb:

Nevertheless, we should filter the HTML source of signatures when saving as we can't be sure the receiving end will properly filter it.

This should be done as well before closing this ticket.

[rcubetrac]

Status changed by @thomascube on 2 Aug 2013 15:43 UTC

closed => reopened

[rcubetrac]

Comment by @alecpl on 4 Aug 2013 10:42 UTC

Fixed in ce5a649.

[rcubetrac]

Status changed by @alecpl on 4 Aug 2013 10:42 UTC

reopened => closed

[rcubetrac]

Comment by @alecpl on 14 Sep 2013 08:36 UTC

I opened a separate ticket for addressbook group name issue here #1489333.