lists at pingle.org
Thu Nov 16 23:45:24 CET 2006
Robin Elfrink wrote:
> Bug #1484109 has been added tonight, mentioning a cross site security
> The poster refers to http://www.securityfocus.com/bid/21042/info.
> Apart from the fact that I cannot reproduce the given proof-of-concept,
> I fail to see how this is supposed to be a vulnerability.
I'm not able to reproduce this either with SVN rev 371. I don't have any
instances of roundcube using the versions listed in the report (0.1
-20051021 and 0.1-beta2)
I tried it while logged out and while logged in, with IE 7 and Firefox 2.0.
If it really does happen, then yes technically is can be considered a
vulnerability, but an XSS problem like this isn't in the same league as a
security problem such that would compromise server integrity. (That's a
discussion for another time/list/etc) It's more about preventing phishing
sites, end-user information theft, or site misidentification.
A little extra input scrubbing should fix it, if it hasn't been fixed
already in the course of other changes.
Whoever discovered this should have given a lot more detail as to how to
reproduce the problem.
More information about the Dev