Vincent Bernat wrote:
A vulnerability was discovered in Roundcube: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=455840
It seems that there is no fix yet. Any idea on this topic?
This is not strictly a RoundCube vulnerability but Internet Explorer's intended behaviour.
I'm not sure if we need to prevent IE doing something that Microsoft wants it to do (http://openmya.hacker.jp/hasegawa/security/expression.txt):
'As a result of having confirmed in our company development department, this phenomenon is the behavior by design of Internet Explorer, and it was judged it does not fit the definition of vulnerability.'
On the other hand, if a 'fix' can prevent IE users into more trouble than they already are :), and it won't break any functionality, I see no problem working around this 'feature'.
I'll try to find out what other webmails do about this.
A workaround would be for IE users to turn off the 'Prefer HTML' option.
Robin
PS. Interesting, the posting on securityfocus says 'Author was contacted on 2007-05-11' but I don't recall any _specific_ vulnerability being reported on the dev-mailing list around that time. Unfortunately the archives are down right now so I cannot check my external memory. _______________________________________________ List info: http://lists.roundcube.net/dev/
Robin Elfrink wrote:
I'll try to find out what other webmails do about this.
I found Squirrelmail's solution. They seem to use one function for every possible tag in the HTML source:
http://osdir.com/ml/mail.squirrelmail.cvs/2006-12/msg00031.html
I'll try to implement that, and/or search for more :)
Robin _______________________________________________ List info: http://lists.roundcube.net/dev/
I have here a quick hacked-up patch for the IE CSS XSS vulnerability. Partly stolen from Squirrelmail.
It's not nice but it seems to work.
Any comments?
Robin
--- 8< --- detachments --- 8< --- The following attachments have been detached and are available for viewing. http://detached.gigo.com/rc/df/hlPQIvyG/ie-xss.200712131255.patch Only click these links if you trust the sender, as well as this message. --- 8< --- detachments --- 8< ---
List info: http://lists.roundcube.net/dev/
On Dec 13, 2007 5:30 PM, Robin Elfrink elfrink@introweb.nl wrote:
I have here a quick hacked-up patch for the IE CSS XSS vulnerability. Partly stolen from Squirrelmail.
From what i know about XSS, i think this is what is asked in this RFE
http://trac.roundcube.net/ticket/1484584
And as suggested, i think using htmlpurifier or such stuff is
better. But if this squirrelmail hacked code works fine here as well, then no issues. But i thought why to reinvent the wheel?
Please correct me if i am wrong.
Thank you
Balachandran Sivakumar (benignbala)
Arise Awake and stop not till the goal is reached
Learn to live.................Live to learn
Mail: benignbala@gmail.com Blog: http://benignbala.wordpress.com/ Site:http://benignbala.googlepages.com _______________________________________________ List info: http://lists.roundcube.net/dev/
OoO En cette matinée pluvieuse du jeudi 13 décembre 2007, vers 10:28, Robin Elfrink elfrink@introweb.nl disait:
I found Squirrelmail's solution. They seem to use one function for every possible tag in the HTML source:
http://osdir.com/ml/mail.squirrelmail.cvs/2006-12/msg00031.html
I'll try to implement that, and/or search for more :)
Hi Robin !
I noticed that you have posted a patch. I have tried it but it seems that there is no effect. I have tried with ie6 from ie4linux and I still get the javascript popups. Did you try it succesfully on rc2?
I have used the test message from here: http://www.topolis.lt/bugtraq/expression.eml.gz
Thanks.
MY NAME IS NOT DR. DEATH MY NAME IS NOT DR. DEATH MY NAME IS NOT DR. DEATH -+- Bart Simpson on chalkboard in episode 8F18 _______________________________________________ List info: http://lists.roundcube.net/dev/
OoO En ce début de soirée du vendredi 28 décembre 2007, vers 21:45, je disais:
I found Squirrelmail's solution. They seem to use one function for every possible tag in the HTML source:
http://osdir.com/ml/mail.squirrelmail.cvs/2006-12/msg00031.html
I'll try to implement that, and/or search for more :)
Hi Robin !
I noticed that you have posted a patch. I have tried it but it seems that there is no effect. I have tried with ie6 from ie4linux and I still get the javascript popups. Did you try it succesfully on rc2?
I have used the test message from here: http://www.topolis.lt/bugtraq/expression.eml.gz
I have tried with an up-to-date IE7 and the patch provided here does not fix the issue. In fact, the source code shows there is still unsanitized strings. I have completed the patch with a function from Squirrelmail (sq_defang). I have attached the complete patch.
--- 8< --- detachments --- 8< --- The following attachments have been detached and are available for viewing. http://detached.gigo.com/rc/Kv/ygd6Dv7S/xss-fix.patch Only click these links if you trust the sender, as well as this message. --- 8< --- detachments --- 8< ---
There is still some unsanitized strings but IE does not trigger any alert any more. We will use this patch as a temporary fix for Roundcube Debian package unless you see a better way to handle this issue.
-
Balachandran Sivakumar -
Robin Elfrink -
Vincent Bernat