Hi,
Bug #1484109 has been added tonight, mentioning a cross site security
vulnerability.
The poster refers to http://www.securityfocus.com/bid/21042/info.
Apart from the fact that I cannot reproduce the given proof-of- concept, I fail to see how this is supposed to be a vulnerability.
Robin
Robin Elfrink wrote:
Bug #1484109 has been added tonight, mentioning a cross site security vulnerability.
The poster refers to http://www.securityfocus.com/bid/21042/info.
Apart from the fact that I cannot reproduce the given proof-of-concept, I fail to see how this is supposed to be a vulnerability.
I'm not able to reproduce this either with SVN rev 371. I don't have any instances of roundcube using the versions listed in the report (0.1 -20051021 and 0.1-beta2)
I tried it while logged out and while logged in, with IE 7 and Firefox 2.0.
If it really does happen, then yes technically is can be considered a vulnerability, but an XSS problem like this isn't in the same league as a security problem such that would compromise server integrity. (That's a discussion for another time/list/etc) It's more about preventing phishing sites, end-user information theft, or site misidentification.
A little extra input scrubbing should fix it, if it hasn't been fixed already in the course of other changes.
Whoever discovered this should have given a lot more detail as to how to reproduce the problem.
Jim