Hey Chris,
We did see it but (until now) we've been unable to duplicate it. Your link below to the demo site is the first time I've seen it work. I'm not sure if the original report had a bad link in it or if I simply fail at copy and paste.
Thanks! Matt
Chris Largret wrote:
Hey,
I'm sure others have seen this as it's a couple days old now, but I'm just passing it along. It should have been sent to you guys first, but I don't see a reference on the dev list and it still works.
-Chris
Begin forwarded message:
Date: Sat, 11 Nov 2006 10:51:00 -0800 From: RSnake h@ckers.org To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] XSS in roundcube.com and users of it
There is an XSS vulnerability in roundcube webmail:
http://demo.roundcube.net/?_task=%27);alert(%22XSS%22)//
Btw, we've been posting 0-day XSS vulnerabilities at http://sla.ckers.org/forum/list.php?3 to take it out of the full disclosure list since lots of people don't want to see the sheer volume of reports. We've got close to a thousand companies and counting.
We're just trying to cut down on the noise to people's inboxes. That is all.-RSnake http://ha.ckers.org http://sla.ckers.org
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/