Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upXSS within _mbox parameter #3469
Comments
This comment has been minimized.
This comment has been minimized.
|
Comment by @alecpl on 9 Aug 2011 13:48 UTC I'm unable to reproduce. |
This comment has been minimized.
This comment has been minimized.
|
Milestone changed by @alecpl on 9 Aug 2011 13:48 UTC later => 0.6-beta |
This comment has been minimized.
This comment has been minimized.
|
Comment by abyszko on 9 Aug 2011 14:03 UTC Are you authenticated? |
This comment has been minimized.
This comment has been minimized.
|
Comment by phs on 9 Aug 2011 17:37 UTC Could reproduce it (see attachment "screenshot.png"). |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Status changed by @alecpl on 9 Aug 2011 18:41 UTC new => closed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
rcubetrac commentedAug 9, 2011
Reported by abyszko on 9 Aug 2011 10:37 UTC as Trac ticket #1488030
During one of pen-tests I found that _mbox parameter is not properly sanitized and reflected XSS attack is possible - example
http://server/roundcube/?_mbox=%3Cscript%3Ealert(document.cookie)%3C/script%3E
I verified this on 0.5.2 and latest version from trunk.
Migrated-From: http://trac.roundcube.net/ticket/1488030