Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#1488806 closed Bugs (fixed)

XSS Vulnerability

Reported by: noamr Owned by:
Priority: 5 Milestone: 0.8.4
Component: Security Version: 0.8.3
Severity: critical Keywords:

Description (last modified by alec)

To trigger:

sendmail email@… < poc.eml
then visit RC panel, click on email.

Vulnerable code:

file: ./program/lib/

function enriched_color($body){
	$pattern = '/(.*)\<color\>\<param\>(.*)\<\/param\>(.*)\<\/color\>(.*)/ims';
		if (count($a)!=5) continue;

		//extract color (either by name, or ####,####,####)
		if (strpos($a[2],',')){
			$rgb = explode(',',$a[2]);
			$color ='#';
			for($i=0;$i<3;$i++) $color.=substr($rgb[$i],0,2); //just take first 2 bytes
			$color = $a[2];
		//put it all together
(*)		$body = $a[1].'<span style="color: '.$color.'">'.$a[3].'</span>'.$a[4];

	return $body;

In POC, the color/param tags are constructed in such a way that on line (*) span tag will be closed. There is no html sanitization between preg_match and line (*), so arbitrary JS can be injected into the rendered email body.

To trigger this functionality, email's content-type must be equal to

Attachments (1)

poc.eml (276 bytes) - added by noamr 3 years ago.

Download all attachments as: .zip

Change History (4)

Changed 3 years ago by noamr

comment:1 Changed 3 years ago by alec

  • Description modified (diff)
  • Milestone changed from later to 0.9-beta

comment:2 Changed 3 years ago by alec

  • Resolution set to fixed
  • Status changed from new to closed

comment:3 Changed 3 years ago by thomasb

  • Milestone changed from 0.9-beta to 0.8.4
Note: See TracTickets for help on using tickets.