Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Roundcube Cross-Site Scripting #7507

Closed
aliveli365 opened this issue Jul 24, 2020 · 6 comments
Closed

Roundcube Cross-Site Scripting #7507

aliveli365 opened this issue Jul 24, 2020 · 6 comments
Labels
bug C: Security
Milestone
1.4.8

Comments

@aliveli365
Copy link

aliveli365 commented Jul 24, 2020
edited

xss

Examples page :
-- http://localhost.com/cpsess5903914110/3rdparty/roundcube/?_task=settings&_action=identities
- -ADD SIGNATURE HTML
-- Select source code
-- Payload is entered in the name field
-- saving and running
Payload :
--

Mail : cybersecurity@muslumdag.com
@alecpl
Copy link
Member

alecpl commented Jul 25, 2020

It would be XSS if a 3rd party could do this. What payload? A <script> or something more sophisticated?

@aliveli365
Copy link
Author

Check from here : https://cxsecurity.com/issue/WLB-2020010153

@alecpl
Copy link
Member

alecpl commented Jul 25, 2020

So, this is <embed> with insecure src=data:image/svg+xm,...l. I confirm this in release-1.4, but not in git-master. I'll see if there's some easy fix for 1.4 possible.

As this works only with a content inserted by the user itself, I'm not even sure we can call it a security issue.

@alecpl
Copy link
Member

alecpl commented Jul 25, 2020

It does not happen in the mail compose editor, probably because media plugin is enabled there. It looks that we could set invalid_elements: 'embed' to prevent that issue in the signature editor.

@alecpl alecpl added this to the 1.4.8 milestone Jul 25, 2020
@aliveli365
Copy link
Author

It's not too dangerous for you from now on, but no one knows what might happen. 😅
Just thought there might be benefit in reporting...

alecpl added a commit that referenced this issue Jul 26, 2020
@alecpl
Security: Fix potential XSS issue in HTML editor of the identity sign…
dd65229 
…ature input (#7507)
@alecpl
Copy link
Member

alecpl commented Jul 26, 2020

Fixed.

@alecpl alecpl closed this as completed Jul 26, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug C: Security
Projects
None yet
Milestone
1.4.8
Development

No branches or pull requests
2 participants
@alecpl @aliveli365