Fw: [Full-disclosure] XSS in roundcube.com and users of it

Aurélien Pocheville aurelien.pocheville at haptique.com
Tue Nov 21 16:33:48 CET 2006


I think the problem is in index.php
Here is a quick fix:

After line 93, add

//Line 93
$_task = get_input_value('_task', RCUBE_INPUT_GPC);

//sanitize $_task
if (!preg_match('/[a-z]+/i',$_task,$task_sanitized))
{
    $_task = '';
}
else
{
    $_task = $task_sanitized[0];
}

It only allows tasks that are made of letters. Correct the problem on my 
installation.

Another solution (don't know which is better):

Use in_array($_task, $MAIN_TASKS) and defaults if not inside the array. 
I think we should default to '' there because the default task is set 
after this step.

Problem is on line 128
$COMM_PATH = sprintf('./?_task=%s', $_task);
$COMM_PATH is then output to the user, hence the alert box.

Aurélien

-- 
Aurelien Pocheville
PhD Student IBISC-CNRS
Engineer IIE 2003

aurelien.pocheville at haptique.com
http://www.haptique.com/
Tel : 33 1 69 47 06 05
Fax : 33 1 69 47 06 03
University of Evry Val d'Essonne
40 rue du Pelvoux - CE 1455
91020 EVRY CEDEX





More information about the Dev mailing list