RoundCube Webmail mail <1.0.5 body stored XSS（CVE-2015-1433）

RoundCube Webmail is a foreign use of a wide an open source php e-mail system, the meaning is still quite large.

roundcube webmail official website: <https://roundcube.net/&gt;, download the latest version. /program/lib/Roundcube/rcube_washtml.php this file is actually a rich text filter class class rcube_washtml it. roundcube is the use of this class for rich text filter.

First probably look, I know this class feature:

1. Use the DOM to change the HTML to do parsing, remove all tags, corresponding to the attribute key and value.
2. The use of the white list, and only keep the allowed tags and attributes.
3. According to the preserved tags, attributes, keys and values, spliced into the filtered HTML output.

In fact, from this process I see a safety hazard. I used to own wrote a rich text class, the class of the first two points of the process and this class is the same, but the third point, I was the results are also saved as a DOM object, and then converted into HTML output.

The two have what difference? A large different point is that roundcube to HTML splicing, the splicing process if not handled properly the quotes, it is easy to lead to the attribute“value”beyond the quoted range, into a new“attribute”, such as onerror in.

Well, we saw 246 the line,

else if ($key == 'style' && ($style = $this->wash_style($value))) { $quot = strpos($style, '"') !== false ? "'" : '"'; $t .= 'style=' . $quot . $style . $quot; }

When the property name is the style, then the value of the incoming wash_style function. This function, as the name implies is to filter the css used, then the return value of the$style stitching to the final HTML in:$t .= 'style=' . $quot . $style . $quot;

$quote is a quotation mark,$style put into quotation marks. The$quote is before a word is defined, when the$style in single quotes,$quote is a double quotation mark, when the$style in double-quotes,$quote is in single quotation marks.

But if$style, two quotation marks are there? Certainly will cause the quotation marks are closed, then the back will be able to write the other attributes.

There’s some trouble with the analysis I will not write, the last of my payload is:

<img src>

We see that style in the middle there is a single quotation mark and double quotation marks, because there are, so choose a single quotation mark as the outside of the closing quotation marks. And because I also have single quotes, so the front of the single quotes closure, and lead to the back of the content overflow, onerror become a new attribute, and finally lead to stored XSS in.

After the class the processed HTML into this, chrome the latest version directly triggered without interaction

<img src />

Test, directly send a text containing the above POC in the mail, roundcube opens the message can be triggered: