Opened 18 months ago

Closed 18 months ago

Last modified 18 months ago

#1488806 closed Bugs (fixed)

XSS Vulnerability

Reported by: noamr Owned by:
Priority: 5 Milestone: 0.8.4
Component: Security Version: 0.8.3
Severity: critical Keywords:
Cc:

Description (last modified by alec)

To trigger:


sendmail email@… < poc.eml
then visit RC panel, click on email.

Vulnerable code:

file: ./program/lib/enriched.inc

function enriched_color($body){
	$pattern = '/(.*)\<color\>\<param\>(.*)\<\/param\>(.*)\<\/color\>(.*)/ims';
	while(preg_match($pattern,$body,$a)){
		//print_r($a);
		if (count($a)!=5) continue;

		//extract color (either by name, or ####,####,####)
		if (strpos($a[2],',')){
			$rgb = explode(',',$a[2]);
			$color ='#';
			for($i=0;$i<3;$i++) $color.=substr($rgb[$i],0,2); //just take first 2 bytes
		}else{
			$color = $a[2];
		}
		
		//put it all together
(*)		$body = $a[1].'<span style="color: '.$color.'">'.$a[3].'</span>'.$a[4];
	}

	return $body;
}

In POC, the color/param tags are constructed in such a way that on line (*) span tag will be closed. There is no html sanitization between preg_match and line (*), so arbitrary JS can be injected into the rendered email body.

To trigger this functionality, email's content-type must be equal to
text/enriched.

Attachments (1)

poc.eml (276 bytes) - added by noamr 18 months ago.

Download all attachments as: .zip

Change History (4)

Changed 18 months ago by noamr

comment:1 Changed 18 months ago by alec

  • Description modified (diff)
  • Milestone changed from later to 0.9-beta

comment:2 Changed 18 months ago by alec

  • Resolution set to fixed
  • Status changed from new to closed

comment:3 Changed 18 months ago by thomasb

  • Milestone changed from 0.9-beta to 0.8.4
Note: See TracTickets for help on using tickets.