Fw: [Full-disclosure] XSS in roundcube.com and users of it

Jim Pingle lists at pingle.org
Tue Nov 21 15:45:55 CET 2006


Matt Kaatman wrote:
> We did see it but (until now) we've been unable to duplicate it. Your
> link below to the demo site is the first time I've seen it work. I'm not
> sure if the original report had a bad link in it or if I simply fail at
> copy and paste.

The link in the advisory at SecurityFocus was:

http://www.example.com/?_task=');alert(%22XSS%22)//

That didn't trigger the bug, but the URL in his e-mail was slightly different:

http://demo.roundcube.net/?_task=');alert(%22XSS%22)//

It looks like that apostrophe got encoded into the HTML character entity
#039; when it was posted originally.

I can also reproduce it with the second URL on my local installations.

Jim




More information about the Dev mailing list