XSS within _mbox parameter

[rcubetrac]

Reported by abyszko on 9 Aug 2011 10:37 UTC as Trac ticket #1488030

During one of pen-tests I found that _mbox parameter is not properly sanitized and reflected XSS attack is possible - example

http://server/roundcube/?_mbox=%3Cscript%3Ealert(document.cookie)%3C/script%3E

I verified this on 0.5.2 and latest version from trunk.

Migrated-From: http://trac.roundcube.net/ticket/1488030

[rcubetrac]

Comment by @alecpl on 9 Aug 2011 13:48 UTC

I'm unable to reproduce.

[rcubetrac]

Comment by @alecpl on 9 Aug 2011 13:48 UTC

I'm unable to reproduce.

[rcubetrac]

Milestone changed by @alecpl on 9 Aug 2011 13:48 UTC

later => 0.6-beta

[rcubetrac]

Milestone changed by @alecpl on 9 Aug 2011 13:48 UTC

later => 0.6-beta

[rcubetrac]

Comment by abyszko on 9 Aug 2011 14:03 UTC

Are you authenticated?

[rcubetrac]

Comment by abyszko on 9 Aug 2011 14:03 UTC

Are you authenticated?

[rcubetrac]

Comment by phs on 9 Aug 2011 17:37 UTC

Could reproduce it (see attachment "screenshot.png").

[rcubetrac]

Comment by phs on 9 Aug 2011 17:37 UTC

Could reproduce it (see attachment "screenshot.png").

[rcubetrac]

Comment by @alecpl on 9 Aug 2011 18:41 UTC

I think 8dd172a fixes the issue.

[rcubetrac]

Comment by @alecpl on 9 Aug 2011 18:41 UTC

I think 8dd172a fixes the issue.

[rcubetrac]

Status changed by @alecpl on 9 Aug 2011 18:41 UTC

new => closed

[rcubetrac]

Status changed by @alecpl on 9 Aug 2011 18:41 UTC

new => closed