#1484109 closed Bugs (fixed)
Security Vulnerability
| Reported by: | psfrog | Owned by: | |
|---|---|---|---|
| Priority: | 1 - Highest | Milestone: | |
| Component: | Security | Version: | 0.1-beta2 |
| Severity: | critical | Keywords: | |
| Cc: |
Description
There is a simulur request in the forum about the Vulnerability.
Please read here:
http://www.securityfocus.com/bid/21042/info
RoundCube Webmail index.PHP Cross-Site Scripting Vulnerability
To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.
The following proof-of-concept URI is available:
- /data/vulnerabilities/exploits/21042.html
Attachments (1)
Change History (6)
comment:1 Changed 7 years ago by kang
comment:2 Changed 7 years ago by kang
Wrong wiki syntax :D
--- main.inc 2006-11-17 15:04:40.779543000 +0100
+++ main.inc.new 2006-11-17 15:03:03.519543000 +0100
@@ -1035,8 +1035,9 @@
* @param boolean Allow HTML tags in field value
* @param string Charset to convert into
* @return string Field value or NULL if not available
+ * @quotes boolean Do not strip quotes or add them if missing + htmlify
*/
-function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL)
+function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL, $quotes=FALSE)
{
global $OUTPUT;
$value = NULL;
@@ -1056,8 +1057,10 @@
}
// strip slashes if magic_quotes enabled
- if ((bool)get_magic_quotes_gpc())
+ if ((bool)get_magic_quotes_gpc() && $quotes)
$value = stripslashes($value);
+ else if (!(bool)get_magic_quotes_gpc() && !$quotes)
+ $value = htmlspecialchars($value, ENT_QUOTES);
// remove HTML tags if not allowed
if (!$allow_html)
comment:3 Changed 7 years ago by kang
this is better.
of course mails with a ' will look as html encoded even on plain text.
maybe it should use rep_special... function to encode for javascript etc specifically.
--- main.inc 2006-11-17 15:04:40.779543000 +0100
+++ main.inc.new 2006-11-17 15:03:03.519543000 +0100
@@ -1035,8 +1035,9 @@
* @param boolean Allow HTML tags in field value
* @param string Charset to convert into
* @return string Field value or NULL if not available
+ * @quotes boolean Do not strip quotes or add them if missing + htmlify
*/
-function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL)
+function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL, $quotes=FALSE)
{
global $OUTPUT;
$value = NULL;
@@ -1056,8 +1057,10 @@
}
// strip slashes if magic_quotes enabled
- if ((bool)get_magic_quotes_gpc())
+ if ((bool)get_magic_quotes_gpc() && $quotes)
$value = stripslashes($value);
+ else if (!$quotes)
+ $value = htmlspecialchars($value, ENT_QUOTES);
// remove HTML tags if not allowed
if (!$allow_html)
comment:4 Changed 6 years ago by thomasb
Unable to reproduce on either 0.1-beta2 nor current SVN. What browser did you test with?
comment:5 Changed 6 years ago by thomasb
- Resolution set to fixed
- Status changed from new to closed
Fixed in [e34ae178]. Use attached file to patch an existing installation.
Note: See
TracTickets for help on using
tickets.
Due to the number of bugs in queue and lack of activity i feel like the roundcube devs are dead ?
Anyway, here is a quick fix. I tested it, seems to work fine. I don't know where get_input_value() would need to keep the quotes (looked up the references shortly), but since he forced them there should be a reason, so added an option not-to-htmlify (default being to htmlify.)
Also note that the xss was happening only if you were not logged in.
--- main.inc 2006-11-17 15:04:40.779543000 +0100
+++ main.inc.new 2006-11-17 15:03:03.519543000 +0100
@@ -1035,8 +1035,9 @@
+ * @quotes boolean Do not strip quotes or add them if missing + htmlify
-function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL)
+function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL, $quotes=FALSE)
@@ -1056,8 +1057,10 @@
+ if ((bool)get_magic_quotes_gpc() && $quotes)
+ else if (!(bool)get_magic_quotes_gpc() && !$quotes)
+ $value = htmlspecialchars($value, ENT_QUOTES);