[RCD] [RCU] Vulnerability in Roundcube

Vincent Bernat bernat at luffy.cx
Fri Dec 28 21:45:10 CET 2007


OoO En  cette matinée pluvieuse du  jeudi 13 décembre  2007, vers 10:28,
Robin Elfrink <elfrink at introweb.nl> disait:

> I found Squirrelmail's solution. They seem to use one function for every
> possible tag in the HTML source:

> http://osdir.com/ml/mail.squirrelmail.cvs/2006-12/msg00031.html

> I'll try to implement that, and/or search for more :)

Hi Robin !

I noticed  that you have posted  a patch. I  have tried it but  it seems
that there is no effect. I have tried with ie6 from ie4linux and I still
get the javascript popups. Did you try it succesfully on rc2?

I have used the test message from here:
 http://www.topolis.lt/bugtraq/expression.eml.gz

Thanks.
-- 
MY NAME IS NOT DR. DEATH
MY NAME IS NOT DR. DEATH
MY NAME IS NOT DR. DEATH
-+- Bart Simpson on chalkboard in episode 8F18
_______________________________________________
List info: http://lists.roundcube.net/dev/



More information about the Dev mailing list