RoundCube Webmail is a foreign use of a wide an open source php e-mail system, the meaning is still quite large.
roundcube webmail official website: <https://roundcube.net/>, download the latest version. /program/lib/Roundcube/rcube_washtml.php this file is actually a rich text filter class class rcube_washtml it. roundcube is the use of this class for rich text filter.
First probably look, I know this class feature:
In fact, from this process I see a safety hazard. I used to own wrote a rich text class, the class of the first two points of the process and this class is the same, but the third point, I was the results are also saved as a DOM object, and then converted into HTML output.
The two have what difference? A large different point is that roundcube to HTML splicing, the splicing process if not handled properly the quotes, it is easy to lead to the attribute“value”beyond the quoted range, into a new“attribute”, such as onerror in.
Well, we saw 246 the line,
else if ($key == 'style' && ($style = $this->wash_style($value))) { $quot = strpos($style, '"') !== false ? "'" : '"'; $t .= 'style=' . $quot . $style . $quot; }
When the property name is the style, then the value of the incoming wash_style function. This function, as the name implies is to filter the css used, then the return value of the$style
stitching to the final HTML in:$t .= 'style=' . $quot . $style . $quot;
$quote
is a quotation mark,$style
put into quotation marks. The$quote
is before a word is defined, when the$style
in single quotes,$quote
is a double quotation mark, when the$style
in double-quotes,$quote
is in single quotation marks.
But if$style
, two quotation marks are there? Certainly will cause the quotation marks are closed, then the back will be able to write the other attributes.
There’s some trouble with the analysis I will not write, the last of my payload is:
<img src>
We see that style in the middle there is a single quotation mark and double quotation marks, because there are, so choose a single quotation mark as the outside of the closing quotation marks. And because I also have single quotes, so the front of the single quotes closure, and lead to the back of the content overflow, onerror become a new attribute, and finally lead to stored XSS in.
After the class the processed HTML into this, chrome the latest version directly triggered without interaction
<img src />
Test, directly send a text containing the above POC in the mail, roundcube opens the message can be triggered: