[RCD] [RCU] Vulnerability in Roundcube

Robin Elfrink elfrink at introweb.nl
Thu Dec 13 09:56:43 CET 2007

Vincent Bernat wrote:

> A vulnerability was discovered in Roundcube:
>  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=455840
> It seems that there is no fix yet. Any idea on this topic?

This is not strictly a RoundCube vulnerability but Internet Explorer's
intended behaviour.

I'm not sure if we need to prevent IE doing something that Microsoft
wants it to do (http://openmya.hacker.jp/hasegawa/security/expression.txt):

'As a result of having confirmed in our company development department,
this phenomenon is the behavior by design of Internet Explorer,
and it was judged it does not fit the definition of vulnerability.'

On the other hand, if a 'fix' can prevent IE users into more trouble
than they already are :), and it won't break any functionality, I see no
problem working around this 'feature'.

I'll try to find out what other webmails do about this.

A workaround would be for IE users to turn off the 'Prefer HTML' option.


PS. Interesting, the posting on securityfocus says 'Author was contacted
on 2007-05-11' but I don't recall any _specific_ vulnerability being
reported on the dev-mailing list around that time. Unfortunately the
archives are down right now so I cannot check my external memory.
List info: http://lists.roundcube.net/dev/

More information about the Dev mailing list