-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hey,
I'm sure others have seen this as it's a couple days old now, but I'm just passing it along. It should have been sent to you guys first, but I don't see a reference on the dev list and it still works.
Begin forwarded message:
Date: Sat, 11 Nov 2006 10:51:00 -0800 From: RSnake h@ckers.org To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] XSS in roundcube.com and users of it
There is an XSS vulnerability in roundcube webmail:
http://demo.roundcube.net/?_task=%27);alert(%22XSS%22)//
Btw, we've been posting 0-day XSS vulnerabilities at
http://sla.ckers.org/forum/list.php?3 to take it out of the full
disclosure list since lots of people don't want to see the sheer volume
of reports. We've got close to a thousand companies and counting.
We're just trying to cut down on the noise to people's inboxes. That
is all.
http://ha.ckers.org http://sla.ckers.org
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Chris Largret http://www.largret.com
Hey Chris,
We did see it but (until now) we've been unable to duplicate it. Your link below to the demo site is the first time I've seen it work. I'm not sure if the original report had a bad link in it or if I simply fail at copy and paste.
Thanks! Matt
Chris Largret wrote:
Hey,
I'm sure others have seen this as it's a couple days old now, but I'm just passing it along. It should have been sent to you guys first, but I don't see a reference on the dev list and it still works.
-Chris
Begin forwarded message:
Date: Sat, 11 Nov 2006 10:51:00 -0800 From: RSnake h@ckers.org To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] XSS in roundcube.com and users of it
There is an XSS vulnerability in roundcube webmail:
http://demo.roundcube.net/?_task=%27);alert(%22XSS%22)//
Btw, we've been posting 0-day XSS vulnerabilities at http://sla.ckers.org/forum/list.php?3 to take it out of the full disclosure list since lots of people don't want to see the sheer volume of reports. We've got close to a thousand companies and counting.
We're just trying to cut down on the noise to people's inboxes. That is all.-RSnake http://ha.ckers.org http://sla.ckers.org
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Matt Kaatman wrote:
We did see it but (until now) we've been unable to duplicate it. Your link below to the demo site is the first time I've seen it work. I'm not sure if the original report had a bad link in it or if I simply fail at copy and paste.
The link in the advisory at SecurityFocus was:
http://www.example.com/?_task=%27);alert(%22XSS%22)//
That didn't trigger the bug, but the URL in his e-mail was slightly different:
http://demo.roundcube.net/?_task=%27);alert(%22XSS%22)//
It looks like that apostrophe got encoded into the HTML character entity #039; when it was posted originally.
I can also reproduce it with the second URL on my local installations.
Jim
Matt Kaatman wrote:
Hey Chris,
We did see it but (until now) we've been unable to duplicate it. Your link below to the demo site is the first time I've seen it work. I'm not sure if the original report had a bad link in it or if I simply fail at copy and paste.
Thanks! Matt
Chris Largret wrote:
Hey,
I'm sure others have seen this as it's a couple days old now, but I'm just passing it along. It should have been sent to you guys first, but I don't see a reference on the dev list and it still works.
-Chris
Begin forwarded message:
Date: Sat, 11 Nov 2006 10:51:00 -0800 From: RSnake h@ckers.org To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] XSS in roundcube.com and users of it
There is an XSS vulnerability in roundcube webmail:
http://demo.roundcube.net/?_task=%27);alert(%22XSS%22)//
Btw, we've been posting 0-day XSS vulnerabilities at http://sla.ckers.org/forum/list.php?3 to take it out of the full disclosure list since lots of people don't want to see the sheer volume of reports. We've got close to a thousand companies and counting.
We're just trying to cut down on the noise to people's inboxes. That is all.-RSnake http://ha.ckers.org http://sla.ckers.org
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
I've been able to duplicate it on beta2, rev 336, and rev 361. Now I know they're out of date, but it's been available in each.
~Brett
On Nov 21, 2006, at 9:48 AM, Brett Patterson wrote:
I've been able to duplicate it on beta2, rev 336, and rev 361. Now
I know they're out of date, but it's been available in each.
Reproducible on 373.
-- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
I think the problem is in index.php Here is a quick fix:
After line 93, add
//Line 93 $_task = get_input_value('_task', RCUBE_INPUT_GPC);
//sanitize $_task if (!preg_match('/[a-z]+/i',$_task,$task_sanitized)) { $_task = ''; } else { $_task = $task_sanitized[0]; }
It only allows tasks that are made of letters. Correct the problem on my installation.
Another solution (don't know which is better):
Use in_array($_task, $MAIN_TASKS) and defaults if not inside the array. I think we should default to '' there because the default task is set after this step.
Problem is on line 128 $COMM_PATH = sprintf('./?_task=%s', $_task); $COMM_PATH is then output to the user, hence the alert box.
Aurélien
There's a patch available for this issue. See http://trac.roundcube.net/trac.cgi/ticket/1484109
It is also fixed in the SVN trunk (rev 382).
Regards, Thomas
Chris Largret wrote:
Hey,
I'm sure others have seen this as it's a couple days old now, but I'm just passing it along. It should have been sent to you guys first, but I don't see a reference on the dev list and it still works.
-Chris