Fw: [Full-disclosure] XSS in roundcube.com and users of it

Jim Pingle lists at pingle.org
Tue Nov 21 15:45:55 CET 2006

Matt Kaatman wrote:
> We did see it but (until now) we've been unable to duplicate it. Your
> link below to the demo site is the first time I've seen it work. I'm not
> sure if the original report had a bad link in it or if I simply fail at
> copy and paste.

The link in the advisory at SecurityFocus was:


That didn't trigger the bug, but the URL in his e-mail was slightly different:


It looks like that apostrophe got encoded into the HTML character entity
#039; when it was posted originally.

I can also reproduce it with the second URL on my local installations.


More information about the Dev mailing list