Trying to send again now that I'm actually subscribed. Hopefully
it'll make it through this time! Sorry for all the forward headers.
-- Jordan Wiens Contributing Technology Editor, Security Network Computing/InformationWeek 352.871.5109 (m) jordanwiens (im)
Begin forwarded message:
From: Jordan Wiens jwiens@nwc.com Date: August 12, 2007 6:35:34 PM EDT To: dev@lists.roundcube.net Subject: Fwd: roundcube vulnerability scan
Sent this to roundcube@gmail.com, but never heard back. Since this
is a public list, I've removed descriptions of the raw
vulnerabilities. Would prefer to handle those privately unless
explicitly told otherwise. Feel free to contact me via email or
phone.-- Jordan Wiens Contributing Technology Editor, Security Network Computing/InformationWeek 352.871.5109 (m) jordanwiens (im)
Begin forwarded message:
From: Jordan Wiens jwiens@nwc.com Date: July 20, 2007 6:59:50 PM EDT To: roundcube@gmail.com Subject: roundcube vulnerability scan
I'm using roundcube as a test application for a review on web
application vulnerability scanners (http:// www.networkcomputing.com/rollingreviews/Web-Applications- Scanners/) and as a result, I expect to have a variety of
vulnerabilities discovered over the course of the review.I wanted to email you to ask a couple of questions.
First, how should I submit bugs discovered? Just use trac? Will
that make them public? Private email? Let me know what you
prefer, I'm happy to do either.Secondly, would you like me to publicly mention which open source
webmail project I used for my testing? Or stay anonymous? I'd
prefer to not make it public at the very least until all the flaws
discovered are fixed, though I doubt that will be a problem since
writing the articles takes a while to go through the whole
magazine process. Other than that, I'll leave the option up to
you as to whether you prefer to be discussed. Note that I don't
plan on discussion the exact details of particular
vulnerabilities, just the general class and types.Anyway, I've already stumbled across a few ways to evade the cross- site scripting blocking filters when manually looking through the
code to see what the application scanners will be up against.Here's samples of vulns I've found so far that will automatically
execute javascript without user action besides just opening the
email:<DELETED>
-- Jordan Wiens Contributing Editor, Security Network Computing/InformationWeek 352.871.5109 (m) jordanwiens (im)
*http://www.networkcomputing.com/rollingreviews/Web-Applications- Scanners/
List info: http://lists.roundcube.net/dev/