XSS Vulnerability #4000

Closed
rcubetrac opened this Issue Nov 14, 2012 · 4 comments

1 participant

@rcubetrac

Reported by noamr on 14 Nov 2012 11:47 UTC as Trac ticket #1488806

To trigger:

sendmail email@yourdomain.com < poc.eml
then visit RC panel, click on email.

Vulnerable code:

file: ./program/lib/enriched.inc

function enriched_color($body){
    $pattern = '/(.*)\<color\>\<param\>(.*)\<\/param\>(.*)\<\/color\>(.*)/ims';
    while(preg_match($pattern,$body,$a)){
        //print_r($a);
        if (count($a)!=5) continue;

        //extract color (either by name, or ####,####,####)
        if (strpos($a[= explode(',',$a[2](2],',')){
            $rgb));
            $color ='#';
            for($i=0;$i<3;$i++) $color.=substr($rgb[//just take first 2 bytes
        }else{
            $color = $a[2]($i],0,2););
        }

        //put it all together
(*)     $body = $a[style="color: '.$color.'">'.$a[3](1].'<span).'</span>'.$a[4];
    }

    return $body;
}

In POC, the color/param tags are constructed in such a way that on line () span tag will be closed. There is no html sanitization between preg_match and line (), so arbitrary JS can be injected into the rendered email body.

To trigger this functionality, email's content-type must be equal to
text/enriched.

Migrated-From: http://trac.roundcube.net/ticket/1488806

@rcubetrac

Milestone changed by @alecpl on 14 Nov 2012 12:09 UTC

later => 0.9-beta

@rcubetrac

Comment by @alecpl on 14 Nov 2012 12:33 UTC

Fixed in d15163a

@rcubetrac

Status changed by @alecpl on 14 Nov 2012 12:33 UTC

new => closed

@rcubetrac rcubetrac closed this Nov 14, 2012
@rcubetrac

Milestone changed by @thomascube on 14 Nov 2012 20:57 UTC

0.9-beta => 0.8.4

@rcubetrac rcubetrac added this to the 0.8.4 milestone Mar 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment