[RCD] [RCU] Vulnerability in Roundcube

Vincent Bernat bernat at luffy.cx
Tue Jan 22 22:17:11 CET 2008

OoO En ce  début de soirée du vendredi 28 décembre  2007, vers 21:45, je

>> I found Squirrelmail's solution. They seem to use one function for every
>> possible tag in the HTML source:

>> http://osdir.com/ml/mail.squirrelmail.cvs/2006-12/msg00031.html

>> I'll try to implement that, and/or search for more :)

> Hi Robin !

> I noticed  that you have posted  a patch. I  have tried it but  it seems
> that there is no effect. I have tried with ie6 from ie4linux and I still
> get the javascript popups. Did you try it succesfully on rc2?

> I have used the test message from here:
>  http://www.topolis.lt/bugtraq/expression.eml.gz

I have tried with an up-to-date IE7 and the patch provided here does not
fix the issue. In fact, the source code shows there is still unsanitized
strings. I  have completed the  patch with a function  from Squirrelmail
(sq_defang). I have attached the complete patch.

 --- 8< --- detachments --- 8< ---
 The following attachments have been detached and are available for viewing.
 Only click these links if you trust the sender, as well as this message.
 --- 8< --- detachments --- 8< ---

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
URL: <http://lists.roundcube.net/pipermail/dev/attachments/20080122/837e76d7/attachment.sig>
-------------- next part --------------

There  is still some  unsanitized strings  but IE  does not  trigger any
alert any more. We will use  this patch as a temporary fix for Roundcube
Debian package unless you see a better way to handle this issue.
Treat end of file conditions in a uniform manner.
            - The Elements of Programming Style (Kernighan & Plauger)
-------------- next part --------------
List info: http://lists.roundcube.net/dev/

More information about the Dev mailing list