#1488806 closed Bugs (fixed)
XSS Vulnerability
| Reported by: | noamr | Owned by: | |
|---|---|---|---|
| Priority: | 5 | Milestone: | 0.8.4 |
| Component: | Security | Version: | 0.8.3 |
| Severity: | critical | Keywords: | |
| Cc: |
Description (last modified by alec)
To trigger:
sendmail email@… < poc.eml
then visit RC panel, click on email.
Vulnerable code:
file: ./program/lib/enriched.inc
function enriched_color($body){
$pattern = '/(.*)\<color\>\<param\>(.*)\<\/param\>(.*)\<\/color\>(.*)/ims';
while(preg_match($pattern,$body,$a)){
//print_r($a);
if (count($a)!=5) continue;
//extract color (either by name, or ####,####,####)
if (strpos($a[2],',')){
$rgb = explode(',',$a[2]);
$color ='#';
for($i=0;$i<3;$i++) $color.=substr($rgb[$i],0,2); //just take first 2 bytes
}else{
$color = $a[2];
}
//put it all together
(*) $body = $a[1].'<span style="color: '.$color.'">'.$a[3].'</span>'.$a[4];
}
return $body;
}
In POC, the color/param tags are constructed in such a way that on line (*) span tag will be closed. There is no html sanitization between preg_match and line (*), so arbitrary JS can be injected into the rendered email body.
To trigger this functionality, email's content-type must be equal to
text/enriched.
Attachments (1)
Change History (4)
Changed 6 months ago by noamr
comment:1 Changed 6 months ago by alec
- Description modified (diff)
- Milestone changed from later to 0.9-beta
comment:2 Changed 6 months ago by alec
- Resolution set to fixed
- Status changed from new to closed
comment:3 Changed 6 months ago by thomasb
- Milestone changed from 0.9-beta to 0.8.4
Note: See
TracTickets for help on using
tickets.
Fixed in d15163ab6ecabde9d12e8674bee37cbe562bd850