Fw: [Full-disclosure] XSS in roundcube.com and users of it

Matt Kaatman roundcube-dev at matt.kaatman.com
Tue Nov 21 14:55:10 CET 2006

Hey Chris,

We did see it but (until now) we've been unable to duplicate it. Your
link below to the demo site is the first time I've seen it work. I'm not
sure if the original report had a bad link in it or if I simply fail at
copy and paste.


Chris Largret wrote:
> Hey,
> I'm sure others have seen this as it's a couple days old now, but I'm
> just passing it along. It should have been sent to you guys first, but I
> don't see a reference on the dev list and it still works.
> -Chris
> Begin forwarded message:
> Date: Sat, 11 Nov 2006 10:51:00 -0800
> From: RSnake <h at ckers.org>
> To: full-disclosure at lists.grok.org.uk
> Subject: [Full-disclosure] XSS in roundcube.com and users of it
> There is an XSS vulnerability in roundcube webmail:
> http://demo.roundcube.net/?_task=');alert(%22XSS%22)//
> Btw, we've been posting 0-day XSS vulnerabilities at 
> http://sla.ckers.org/forum/list.php?3 to take it out of the full 
> disclosure list since lots of people don't want to see the sheer volume 
> of reports.  We've got close to a thousand companies and counting.  
> We're just trying to cut down on the noise to people's inboxes.  That
> is all.
> -RSnake
> http://ha.ckers.org
> http://sla.ckers.org
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

More information about the Dev mailing list