Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS Vulnerability on the Body of the Email #4739

Closed
rcubetrac opened this issue Jan 12, 2015 · 9 comments
Closed

XSS Vulnerability on the Body of the Email #4739

rcubetrac opened this issue Jan 12, 2015 · 9 comments
Labels
bug C: Security
Milestone
1.1.0

Comments

@rcubetrac
Copy link

Reported by phithon on 12 Jan 2015 17:03 UTC as Trac ticket #1490227

Hi, guys
I've found that someone send you an email include HTML code:

<img src="data:xxx1" style=aaa:'"/onerror=alert(1)//' >

The javascript code "alert(1)" will be executed .
The vulnerability occured in "/program/lib/Roundcube/rcube_washtml.php"

else if ($key == 'style' && ($style = $this->wash_style($value))) {

                $quot = strpos($style, '"') !== false ? "'" : '"';

                $t .= ' style=' . $quot . $style . $quot;

            }

When single quote and double quote both in $style the style attribute will be closed, and all the content after quote will get out.
<img src="data:xxx1" style=aaa:'"/onerror=alert(1)' > becomes <img src="data:xxx1" style='aaa: '"/onerror=alert(1)'' />
btw. execute only in chrome.
[[Image(http://www.leavesongs.com/content/plugins/kl_album/upload/201501/a6469005d34f6cf677510da16ab733ee201501130059391461631074.jpg)]]

Keywords: XSS
Migrated-From: http://trac.roundcube.net/ticket/1490227
@rcubetrac
Copy link
Author

Comment by phithon on 12 Jan 2015 17:35 UTC

you can contact me.
[email protected]

@rcubetrac
Copy link
Author

Comment by @alecpl on 12 Jan 2015 17:57 UTC

I'm unable to reproduce, could you attach sample message?

@rcubetrac
Copy link
Author

Milestone changed by @alecpl on 12 Jan 2015 17:57 UTC

later => 1.1.0

@rcubetrac
Copy link
Author

Comment by @alecpl on 12 Jan 2015 19:55 UTC

Ah sorry, I didn't notice it is for Chrome only. Confirmed.

@rcubetrac
Copy link
Author

Comment by phithon on 13 Jan 2015 02:27 UTC

Replying to alec:

Ah sorry, I didn't notice it is for Chrome only. Confirmed.

This poc could works in most of browers except firefox:

<img src="data:xxx1" style=aaa:'title="/"onerror=alert(1)//' >

@rcubetrac
Copy link
Author

Comment by @alecpl on 13 Jan 2015 08:42 UTC

Fixed in 786aa07.

@rcubetrac
Copy link
Author

Status changed by @alecpl on 13 Jan 2015 08:42 UTC

new => closed

@rcubetrac
Copy link
Author

Comment by agustin on 25 Jan 2015 18:22 UTC

Does this problem affect the version 0.9.5? Or is it only for versions 1.0 and later?

@rcubetrac
Copy link
Author

Comment by henrisalo on 29 Mar 2015 20:21 UTC

Please use CVE-2015-1433 for this issue, thanks.

@rcubetrac rcubetrac added this to the 1.1.0 milestone Mar 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug C: Security
Projects
None yet
Milestone
1.1.0
Development

No branches or pull requests
1 participant
@rcubetrac