Matt Kaatman wrote:
We did see it but (until now) we've been unable to duplicate it. Your link below to the demo site is the first time I've seen it work. I'm not sure if the original report had a bad link in it or if I simply fail at copy and paste.
The link in the advisory at SecurityFocus was:
http://www.example.com/?_task=%27);alert(%22XSS%22)//
That didn't trigger the bug, but the URL in his e-mail was slightly different:
http://demo.roundcube.net/?_task=%27);alert(%22XSS%22)//
It looks like that apostrophe got encoded into the HTML character entity #039; when it was posted originally.
I can also reproduce it with the second URL on my local installations.
Jim