[RCU] XSS vulnerability

Vincent Bernat bernat at luffy.cx
Fri Feb 6 07:46:51 CET 2009


The following changeset fixes an XSS vulnerability:

Roundcube is packaged in Debian Lenny and the version that is considered
for this version  is 0.1.1. It is not possible to  package a more recent
version due to the way Debian manages to publish a "stable" version.

The code  is really  different for 0.1.1.  From my understanding  of the
code, it seems that 0.1.1 is not vulnerable, but I will test this.

We also have  0.2-alpha. We are in the process  to release 0.2-stable as
well  but  this  is not  done  yet  since  some  pieces are  missing  in
Debian.  0.2-alpha  does not  accept  the  background  attribute, so  no
problem with this one. However, the patch also changes a regexp. Is this
change related to the XSS vulnerability?

Thanks for any input.
Make sure comments and code agree.
            - The Elements of Programming Style (Kernighan & Plauger)
List info: http://lists.roundcube.net/users/

More information about the users mailing list