XSS Vulnerability on Identity configuration (and on "edit as new" function) #4283

Closed
rcubetrac opened this Issue Jul 18, 2013 · 19 comments

1 participant

@rcubetrac

Reported by und3r on 18 Jul 2013 04:47 UTC as Trac ticket #1489251

Hi,

i've found a XSS Vulnerability inside the "identity" configuration page. Into the "Sign" textarea, enabling HTML Sign, i've click on "HTML" button on the editor and i've write this HTML code:

testasd

once you save it, when you move your mouse on the word "asd", the JavaScript "alert(document.cookie)" will be executed by the client. Every time you visit the "identity configuration page" the XSS is active.

hope this can help,
thank you.

Andrea Menin
menin.andrea@gmail.com

Keywords: XSS
Migrated-From: http://trac.roundcube.net/ticket/1489251

@rcubetrac

Comment by und3r on 18 Jul 2013 05:11 UTC

i forgot, when you save the new "html sign" and write a new html mail, the XSS is still present and when you move your mouse over the sign, the JavaScript XSS code will be executed by the client (see the attachment roundcube_XSS_2.jpg).

@rcubetrac

Comment by dennis1993 on 18 Jul 2013 08:49 UTC

It works in my Installation, too.

I've tested a little bit. Create a group in your addressbook with this Name:

If you click on this group after creation, the JavaScript code will be executed. If you will rename this group, the name looks like that:

<script>alert('test');</script>

But now it's to late :)

@rcubetrac

Comment by und3r on 18 Jul 2013 09:15 UTC

I've tested a little bit. Create a group in your addressbook with this Name: <script>alert('test');</script>

it does not work for me on the address book group . Have you got the last version 0.9.2?

-Andrea

@rcubetrac

Comment by dennis1993 on 18 Jul 2013 09:28 UTC

Oh, I see, I have installed the "Roundcube Webmail 1.0-git" for my tests. In this version I can execute the Javascript.

I installed 0.9.2 for a few minutes and the same code is not executable. That's funny xD

If you download the current master from github you can execute the Javascript in addressbook.

@rcubetrac

Comment by und3r on 18 Jul 2013 09:47 UTC

If you download the current master from github you can execute the Javascript in addressbook.

d'oh! :) so the XSS vulne inside the "signature" is also present into the 1.0-git ?

-Andrea

@rcubetrac

Comment by dennis1993 on 18 Jul 2013 10:40 UTC

Yes, I can execute with the following text the Javascript code in the signature:

mouseover-text

maybe is this supposed to be like that. :-) I don't know.

@rcubetrac

Comment by @thomascube on 18 Jul 2013 15:57 UTC

Is this really XSS when it only affects your very own account? Can you make the scripts to be executed by somebody else not using your login?

Nevertheless, we should filter the HTML source of signatures when saving as we can't be sure the receiving end will properly filter it.

@rcubetrac

Comment by dennis1993 on 18 Jul 2013 17:20 UTC

@thomasb: Yes, that's right. It is not possible to filter all Content from the users.

But one question: why work XSS at once in the addressbook in the current GIT-master?
I have explained that in comment:3

@rcubetrac

Comment by und3r on 18 Jul 2013 22:55 UTC

Can you make the scripts to be executed by somebody else not using your login?

@thomasb: sure, for example if i write you an email that contains this "malicious" javascript code, and you click on "edit as new" the javascript will be executed by the client!!

i've make a test by sending this mail to my account:

HELO init.it
MAIL FROM: andrea.menin@init.it
RCPT TO: andrea.menin@init.it
DATA
From: Andrea <andrea.menin@init.it>
To: andrea.menin@init.it
Subject: test      
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="iso-8859-1"

<b onmouseover=alert(document.cookie)>asd</b>

.

see the attachment "edit_as_new_1.jpg" and "edit_as_new_2.jpg" for more details.
sorry but, i call this "XSS Vulnerability" :)

-Andrea

@rcubetrac

Summary changed by und3r on 18 Jul 2013 23:06 UTC

XSS Vulnerability on Identity configuration

XSS Vulnerability on Identity configuration (and on "edit as new" function)

@rcubetrac

Comment by @thomascube on 25 Jul 2013 20:25 UTC

I see. So it's not just an identity/signature issue but we generally lack HTML filtering when editing a message "as new".

@rcubetrac

Comment by und3r on 26 Jul 2013 07:36 UTC

@thomasb yes, sorry. This kind of problem is present in all parts where there is the "MCE" editor (or, more specifically, where there is a with the CSS class "mce_editor").</p> <p>-Andrea</p>

@rcubetrac

Comment by @alecpl on 1 Aug 2013 12:54 UTC

Fixed in 93b0a30

@rcubetrac

Status changed by @alecpl on 1 Aug 2013 12:54 UTC

new => closed

@rcubetrac

Comment by @thomascube on 2 Aug 2013 15:43 UTC

Replying to thomasb:

Nevertheless, we should filter the HTML source of signatures when saving as we can't be sure the receiving end will properly filter it.

This should be done as well before closing this ticket.

@rcubetrac

Status changed by @thomascube on 2 Aug 2013 15:43 UTC

closed => reopened

@rcubetrac

Comment by @alecpl on 4 Aug 2013 10:42 UTC

Fixed in ce5a649.

@rcubetrac

Status changed by @alecpl on 4 Aug 2013 10:42 UTC

reopened => closed

@rcubetrac rcubetrac closed this Aug 4, 2013
@rcubetrac

Comment by @alecpl on 14 Sep 2013 08:36 UTC

I opened a separate ticket for addressbook group name issue here #1489333.

@rcubetrac rcubetrac added this to the 0.9.3 milestone Mar 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment