Vincent Bernat wrote:
A vulnerability was discovered in Roundcube: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=455840
It seems that there is no fix yet. Any idea on this topic?
This is not strictly a RoundCube vulnerability but Internet Explorer's intended behaviour.
I'm not sure if we need to prevent IE doing something that Microsoft wants it to do (http://openmya.hacker.jp/hasegawa/security/expression.txt):
'As a result of having confirmed in our company development department, this phenomenon is the behavior by design of Internet Explorer, and it was judged it does not fit the definition of vulnerability.'
On the other hand, if a 'fix' can prevent IE users into more trouble than they already are :), and it won't break any functionality, I see no problem working around this 'feature'.
I'll try to find out what other webmails do about this.
A workaround would be for IE users to turn off the 'Prefer HTML' option.
Robin
PS. Interesting, the posting on securityfocus says 'Author was contacted on 2007-05-11' but I don't recall any _specific_ vulnerability being reported on the dev-mailing list around that time. Unfortunately the archives are down right now so I cannot check my external memory. _______________________________________________ List info: http://lists.roundcube.net/dev/