XSS Vulnerability on the Body of the Email #4739

Closed
rcubetrac opened this Issue Jan 12, 2015 · 9 comments

Comments

Projects
None yet
1 participant

Reported by phithon on 12 Jan 2015 17:03 UTC as Trac ticket #1490227

Hi, guys
I've found that someone send you an email include HTML code:

<img src="data:xxx1" style=aaa:'"/onerror=alert(1)//' >

The javascript code "alert(1)" will be executed .
The vulnerability occured in "/program/lib/Roundcube/rcube_washtml.php"

else if ($key == 'style' && ($style = $this->wash_style($value))) {

                $quot = strpos($style, '"') !== false ? "'" : '"';

                $t .= ' style=' . $quot . $style . $quot;

            }

When single quote and double quote both in $style the style attribute will be closed, and all the content after quote will get out.
<img src="data:xxx1" style=aaa:'"/onerror=alert(1)' > becomes <img src="data:xxx1" style='aaa: '"/onerror=alert(1)'' />
btw. execute only in chrome.
[[Image(http://www.leavesongs.com/content/plugins/kl_album/upload/201501/a6469005d34f6cf677510da16ab733ee201501130059391461631074.jpg)]]

Keywords: XSS
Migrated-From: http://trac.roundcube.net/ticket/1490227

Comment by phithon on 12 Jan 2015 17:35 UTC

you can contact me.
root@leavesongs.com

Comment by @alecpl on 12 Jan 2015 17:57 UTC

I'm unable to reproduce, could you attach sample message?

Milestone changed by @alecpl on 12 Jan 2015 17:57 UTC

later => 1.1.0

Comment by @alecpl on 12 Jan 2015 19:55 UTC

Ah sorry, I didn't notice it is for Chrome only. Confirmed.

Comment by phithon on 13 Jan 2015 02:27 UTC

Replying to alec:

Ah sorry, I didn't notice it is for Chrome only. Confirmed.

This poc could works in most of browers except firefox:

<img src="data:xxx1" style=aaa:'title="/"onerror=alert(1)//' >

Comment by @alecpl on 13 Jan 2015 08:42 UTC

Fixed in 786aa07.

Status changed by @alecpl on 13 Jan 2015 08:42 UTC

new => closed

rcubetrac closed this Jan 13, 2015

Comment by agustin on 25 Jan 2015 18:22 UTC

Does this problem affect the version 0.9.5? Or is it only for versions 1.0 and later?

Comment by henrisalo on 29 Mar 2015 20:21 UTC

Please use CVE-2015-1433 for this issue, thanks.

rcubetrac added this to the 1.1.0 milestone Mar 20, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment