Trying to send again now that I'm actually subscribed. Hopefully
it'll make it through this time! Sorry for all the forward headers.
-- Jordan Wiens Contributing Technology Editor, Security Network Computing/InformationWeek 352.871.5109 (m) jordanwiens (im)
Begin forwarded message:
List info: http://lists.roundcube.net/dev/
Hey Jordan,
really depends on the nature of the bug. If they are severe, maybe email them to me and Thomas off-list? Otherwise, I have no issues if you used the trac and maybe kept the list up to date as well.
In general I agree to wait with disclosure until they are fixed/straightend out so people have a chance to update. Just keep in mind that we are 0.1-rc1 and be gentle! ;))
Till
On 8/23/07, Jordan Wiens jwiens@psifertex.com wrote:
List info: http://lists.roundcube.net/dev/
mind that we are 0.1-rc1 and be gentle! ;))
IMO: Be .. *polite*. But, real problems if identified need a fixin. The fact that RC is a 0.1 and not a 1.0 means this is a great time to have it come up, before there is too much of an install base for RC.
Being that there's always two sides to the argument on disclosure, I just want to say thank you Jordan, for giving a chance to do things politely. :-)
List info: http://lists.roundcube.net/dev/
On 8/24/07, Jason Fesler jfesler@gigo.com wrote:
JASON YOU ARE LURKING! ;))
Just for the record - by no means did I mean that we don't want to fix problems. And yes, we are grateful for all feedback.
Cheers, Till _______________________________________________ List info: http://lists.roundcube.net/dev/
There's a couple of different classes that have showed up so far:
XSS within the application itself which would require some to click a
link or visit a malicious page that could then redirect or otherwise
force the browser to visit the roumdcube interface and would be able
to then execute javascript within their browser's session and the
context of their users. This isn't quite as serious as it requires a
targeted attack where the bad guy knows the url of the roundcube
interface being used.
Some of the others are a little bit more serious in that they allow
javascript within a malicious email. This is more dangerous since
the attacker just has to be able to send an email to a user they know
is using roundcube (easy to find out from mail headers) and the email
can automatically do whatever it wants with their acount, including
injecting a copy of itself into the signature field which is the
third class of vulnerability -- a permanent XSS where the signature
can contain javascript so that any time someone composes a new
message, malicious javascript that's been planted in their signature
(see above two methods for how to do that) the javascript can again
run, maintaining a semi-permanent infection of their account.
Good news is nothing shows a way to directly compromise the
application itself, or the server, so far they're all just javascript
that could compromise individual email accounts.
No need to rely on the early version number, RC is a great package!
I'm testing the application scanners themselves, not the
applications. As I said before, whether you'd like me to publicly
list roundcube as the open source webmail package I did testing with
(or just generically describe it as "open source webmail package") i
totally up to you guys, I'm cool either way.
I'll start by emailing you and Thomas off-list with more details and
examples of what I've found so far and we can take it from there.
-- Jordan Wiens Contributing Technology Editor, Security Network Computing/InformationWeek 352.871.5109 (m) jordanwiens (im)
On Aug 23, 2007, at 7:02 PM, till wrote:
List info: http://lists.roundcube.net/dev/
On Aug 23, 2007, at 7:14 PM, Jason Fesler wrote:
Glad to be of service! I'm a big believer and user of open-source,
so this only makes sense to me. I figure everybody wins -- you guys
get a fairly decent security audit (though certainly not
comprehensive -- being that I'm really focusing on testing the
products and not RC itself) and I've got a great test application to
throw scanners against and watch how they handle (or don't as is
mostly the case so far) AJAX apps.
I've got decent ideas on how to fix most of the vulns already, so
hopefully I won't make much extra work for you guys, but we can still
really tighten the security.
BTW -- I use RoundCube myself as a backup mail client, so I've got a
vested interest as well. ;-)
-- Jordan Wiens Contributing Technology Editor, Security Network Computing/InformationWeek 352.871.5109 (m) jordanwiens (im)
List info: http://lists.roundcube.net/dev/
On 8/24/07, Jordan Wiens jwiens@psifertex.com wrote:
Ok, we are all ears.
Thanks again, Till _______________________________________________ List info: http://lists.roundcube.net/dev/
Jordan Wiens wrote:
Hi Jordan,
I've received your message and it is still marked as unread. This is mostly because I didn't know exactly what to answer on your question but I'm glad to see that already discussed in the thread.
You are welcome to send vulnerability reports privately to me, Till and the other devs listed at http://trac.roundcube.net/trac.cgi/wiki/Dev_Members
Maybe the wiki page also allows you to decide which person should be involved regarding the responsibilities.
Regards, Thomas
List info: http://lists.roundcube.net/dev/
-
Jason Fesler -
Jordan Wiens -
Thomas Bruederli -
till