Fw: [Full-disclosure] XSS in roundcube.com and users of it
Aurélien Pocheville
aurelien.pocheville at haptique.com
Tue Nov 21 16:33:48 CET 2006
I think the problem is in index.php
Here is a quick fix:
After line 93, add
//Line 93
$_task = get_input_value('_task', RCUBE_INPUT_GPC);
//sanitize $_task
if (!preg_match('/[a-z]+/i',$_task,$task_sanitized))
{
$_task = '';
}
else
{
$_task = $task_sanitized[0];
}
It only allows tasks that are made of letters. Correct the problem on my
installation.
Another solution (don't know which is better):
Use in_array($_task, $MAIN_TASKS) and defaults if not inside the array.
I think we should default to '' there because the default task is set
after this step.
Problem is on line 128
$COMM_PATH = sprintf('./?_task=%s', $_task);
$COMM_PATH is then output to the user, hence the alert box.
Aurélien
--
Aurelien Pocheville
PhD Student IBISC-CNRS
Engineer IIE 2003
aurelien.pocheville at haptique.com
http://www.haptique.com/
Tel : 33 1 69 47 06 05
Fax : 33 1 69 47 06 03
University of Evry Val d'Essonne
40 rue du Pelvoux - CE 1455
91020 EVRY CEDEX
More information about the Dev
mailing list