Bug #1484109

Jim Pingle lists at pingle.org
Thu Nov 16 23:45:24 CET 2006


Robin Elfrink wrote:
> Bug #1484109 has been added tonight, mentioning a cross site security
> vulnerability.
> 
> The poster refers to http://www.securityfocus.com/bid/21042/info.
> 
> Apart from the fact that I cannot reproduce the given proof-of-concept,
> I fail to see how this is supposed to be a vulnerability.

I'm not able to reproduce this either with SVN rev 371. I don't have any
instances of roundcube using the versions listed in the report (0.1
-20051021 and 0.1-beta2)

I tried it while logged out and while logged in, with IE 7 and Firefox 2.0.

If it really does happen, then yes technically is can be considered a
vulnerability, but an XSS problem like this isn't in the same league as a
security problem such that would compromise server integrity. (That's a
discussion for another time/list/etc) It's more about preventing phishing
sites, end-user information theft, or site misidentification.

A little extra input scrubbing should fix it, if it hasn't been fixed
already in the course of other changes.

Whoever discovered this should have given a lot more detail as to how to
reproduce the problem.

Jim




More information about the Dev mailing list