Opened 16 months ago

Closed 15 months ago

Last modified 14 months ago

#1489251 closed Bugs (fixed)

XSS Vulnerability on Identity configuration (and on "edit as new" function)

Reported by: und3r Owned by:
Priority: 3 Milestone: 0.9.3
Component: Security Version: 0.9.2
Severity: normal Keywords: XSS
Cc: menin.andrea@…

Description

Hi,

i've found a XSS Vulnerability inside the "identity" configuration page. Into the "Sign" textarea, enabling HTML Sign, i've click on "HTML" button on the editor and i've write this HTML code:

test<b onmouseover="alert(document.cookie)">asd</b>

once you save it, when you move your mouse on the word "asd", the JavaScript? "alert(document.cookie)" will be executed by the client. Every time you visit the "identity configuration page" the XSS is active.

hope this can help,
thank you.

--
Andrea Menin
menin.andrea@…

Attachments (4)

roundcube_XSS.jpg (57.3 KB) - added by und3r 16 months ago.
working XSS on ver 0.9.2 tested on Chrome
roundcube_XSS_2.jpg (52.9 KB) - added by und3r 16 months ago.
XSS on "compose new mail" tested on Chrome
edit_as_new_1.jpg (40.3 KB) - added by und3r 16 months ago.
edit as new 1
edit_as_new_2.jpg (61.6 KB) - added by und3r 16 months ago.
edit as new 2

Download all attachments as: .zip

Change History (21)

Changed 16 months ago by und3r

working XSS on ver 0.9.2 tested on Chrome

comment:1 Changed 16 months ago by und3r

  • Component changed from User Interface to Security

comment:2 Changed 16 months ago by und3r

i forgot, when you save the new "html sign" and write a new html mail, the XSS is still present and when you move your mouse over the sign, the JavaScript? XSS code will be executed by the client (see the attachment roundcube_XSS_2.jpg).

Changed 16 months ago by und3r

XSS on "compose new mail" tested on Chrome

comment:3 Changed 16 months ago by dennis1993

It works in my Installation, too.

I've tested a little bit. Create a group in your addressbook with this Name: <script>alert('test');</script>

If you click on this group after creation, the JavaScript? code will be executed. If you will rename this group, the name looks like that:

&lt;script&gt;alert('test');&lt;/script&gt;

But now it's to late :)

Last edited 16 months ago by dennis1993 (previous) (diff)

comment:4 Changed 16 months ago by und3r

I've tested a little bit. Create a group in your addressbook with this Name: <script>alert('test');</script>

it does not work for me on the address book group . Have you got the last version 0.9.2?

-Andrea

comment:5 Changed 16 months ago by dennis1993

Oh, I see, I have installed the "Roundcube Webmail 1.0-git" for my tests. In this version I can execute the Javascript.

I installed 0.9.2 for a few minutes and the same code is not executable. That's funny xD

If you download the current master from github you can execute the Javascript in addressbook.

comment:6 Changed 16 months ago by und3r

If you download the current master from github you can execute the Javascript in addressbook.

d'oh! :) so the XSS vulne inside the "signature" is also present into the 1.0-git ?

-Andrea

comment:7 Changed 16 months ago by dennis1993

Yes, I can execute with the following text the Javascript code in the signature:

<p onmouseover="javascript:alert('test');">mouseover-text</p>

maybe is this supposed to be like that. :-) I don't know.

comment:8 follow-up: Changed 16 months ago by thomasb

Is this really XSS when it only affects your very own account? Can you make the scripts to be executed by somebody else not using your login?

Nevertheless, we should filter the HTML source of signatures when saving as we can't be sure the receiving end will properly filter it.

comment:9 Changed 16 months ago by dennis1993

@thomasb: Yes, that's right. It is not possible to filter all Content from the users.

But one question: why work XSS at once in the addressbook in the current GIT-master?
I have explained that in comment:3

comment:10 Changed 16 months ago by und3r

Can you make the scripts to be executed by somebody else not using your login?

@thomasb: sure, for example if i write you an email that contains this "malicious" javascript code, and you click on "edit as new" the javascript will be executed by the client!!

i've make a test by sending this mail to my account:

HELO init.it
MAIL FROM: andrea.menin@init.it
RCPT TO: andrea.menin@init.it
DATA
From: Andrea <andrea.menin@init.it>
To: andrea.menin@init.it
Subject: test      
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="iso-8859-1"

<b onmouseover=alert(document.cookie)>asd</b>

.

see the attachment "edit_as_new_1.jpg" and "edit_as_new_2.jpg" for more details.
sorry but, i call this "XSS Vulnerability" :)

-Andrea

Last edited 16 months ago by und3r (previous) (diff)

Changed 16 months ago by und3r

edit as new 1

Changed 16 months ago by und3r

edit as new 2

comment:11 Changed 16 months ago by und3r

  • Summary changed from XSS Vulnerability on Identity configuration to XSS Vulnerability on Identity configuration (and on "edit as new" function)

comment:12 Changed 15 months ago by thomasb

I see. So it's not just an identity/signature issue but we generally lack HTML filtering when editing a message "as new".

comment:13 Changed 15 months ago by und3r

@thomasb yes, sorry. This kind of problem is present in all parts where there is the "MCE" editor (or, more specifically, where there is a <textarea> with the CSS class "mce_editor").

-Andrea

comment:14 Changed 15 months ago by alec

  • Resolution set to fixed
  • Status changed from new to closed

comment:15 in reply to: ↑ 8 Changed 15 months ago by thomasb

  • Resolution fixed deleted
  • Status changed from closed to reopened

Replying to thomasb:

Nevertheless, we should filter the HTML source of signatures when saving as we can't be sure the receiving end will properly filter it.

This should be done as well before closing this ticket.

comment:16 Changed 15 months ago by alec

  • Resolution set to fixed
  • Status changed from reopened to closed

comment:17 Changed 14 months ago by alec

I opened a separate ticket for addressbook group name issue here #1489333.

Note: See TracTickets for help on using tickets.