[Pkg-roundcube-maintainers] Bug#455840: CVE-2007-6321: Cross-site scripting (XSS) vulnerability

Vincent Bernat bernat at luffy.cx
Wed Jan 2 18:40:26 UTC 2008


OoO En  ce milieu  de nuit  étoilée du mercredi  12 décembre  2007, vers
03:46, Micah Anderson <micah at debian.org> disait:

> CVE-2007-6321 details a XSS vulnerability in Roundcube 0.1rc2 and
> earlier. Its only affects users of IE who are using roundcube, so it may
> seem unimportant, but the sad fact of the matter is many people
> still use that browser and most people who run webmail are likely to be
> visited by IE users.

> Please mention this CVE in any changelogs that address this issue. When
> a fix is available, please upload with urgency=high to speed up
> migration to testing. If you have any questions or need help, visit us
> in channel #debian-security on OFTC.

> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6321
> Reference: BUGTRAQ:20071209 Unsanitized scripting in RoundCube webmail
> Reference: http://www.securityfocus.com/archive/1/archive/1/484802/100/0/threaded
> Reference: http://openmya.hacker.jp/hasegawa/security/expression.txt
> Reference: XF:roundcube-email-messages-xss(38981)
> Reference: URL:http://xforce.iss.net/xforce/xfdb/38981

There is a proposition from Roundcube dev here:
 http://lists.roundcube.net/mail-archive/dev/2007-12/0000038.html

I  have  tested  it  with  ie4linux  and  it  seems  that  it  is  still
vulnerable. Could someone else check this?

I attach the patch as well.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ie-xss.200712131255.patch
Type: text/x-diff
Size: 6494 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20080102/ee8e5e37/attachment.patch 


More information about the Pkg-roundcube-maintainers mailing list