0002598: Script injection in calendar title - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0002598	SOGo	Web Calendar	public	2014-02-04 16:09	2016-07-04 18:48

Reporter	Jens Erat	Assigned To	francis
Priority	urgent	Severity	major	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	2.1.1b
Target Version	2.2.0	Fixed in Version	2.2.0

Summary	0002598: Script injection in calendar title
Description	The calendar title is vulnerable to script injections.
Steps To Reproduce	Go to calendar view Create new appointment In title, write <script> window.alert('bar'); </script> Open the appointment, an alert box telling "bar" will show up Sometimes, the alert box also shows up in the calendar overview.
Tags	No tags attached.

francis 2014-02-04 16:23 administrator ~0006487	What browser do you use?

Jens Erat 2014-02-04 18:55 reporter ~0006493	We were able to reproduce the issue in Chrome/Chromium, Safari and Firefox, most current releases each.

francis 2014-02-05 18:21 administrator ~0006502	I can't reproduce the problem. If I have the rights to modify the event, I'll have an input field with the value properly encoded with HTML entities. If I can only view the event, the title will also be properly encoded and the JavaScript won't be executed.

Jens Erat 2014-02-05 18:32 reporter ~0006503	I couldn't verify it against a newer nightly build containing the equal-sign-fix we reported in another bug, maybe the behavior changed. In a newer nightly build (updated today) I had to remove the semicolon, which got escaped and broke the javascript: `<script> window.alert('bar') </script>` It still gets executed, both when looking at the calendar overview and the appointment details.

francis 2014-02-05 21:11 administrator ~0006505	Fixed. See https://github.com/inverse-inc/sogo/commit/1a7fc2a0e90a19dfb1fce292ae5ff53aa513ade9

Jens Erat 2014-02-07 16:49 reporter ~0006532	I can confirm the bug being fixed for appointments, but a similar problem seems to exist with contacts and the bugfix introduced some encoding problems. Example of the encoding issues (string seems to be HTML-encoded twice): http://images.jenserat.de/2014-02-07_1746.png How to reproduce the code injection with contacts: Create contact, save Reopen contact Add injection code, for example in the "Display" name field (`<script> window.alert('1') </script>`) Save Alert box pops up

Jens Erat 2014-02-07 17:00 reporter ~0006533	Encoding problems also apply to reminder alerts.

francis 2014-02-07 20:55 administrator ~0006535	More fixes : https://github.com/inverse-inc/sogo/commit/80a09407652ec04e8c9fb6cb48e1029e69a15765 https://github.com/inverse-inc/sogo/commit/3a5e44e7eb8b390b67a8f8a83030b49606956501

francis 2014-02-08 01:32 administrator ~0006536	Added HTML escaping in CSS dialogs. See https://github.com/inverse-inc/sogo/commit/c94595ea7f0f843c2d7abf25df039b2bbe707625

Date Modified	Username	Field	Change
2014-02-04 16:09	Jens Erat	New Issue
2014-02-04 16:23	francis	Note Added: 0006487
2014-02-04 18:55	Jens Erat	Note Added: 0006493
2014-02-05 18:21	francis	Note Added: 0006502
2014-02-05 18:32	Jens Erat	Note Added: 0006503
2014-02-05 18:47	francis	Target Version	=> 2.2.0
2014-02-05 21:11	francis	Note Added: 0006505
2014-02-05 21:11	francis	Status	new => resolved
2014-02-05 21:11	francis	Fixed in Version	=> 2.2.0
2014-02-05 21:11	francis	Resolution	open => fixed
2014-02-05 21:11	francis	Assigned To	=> francis
2014-02-07 16:49	Jens Erat	Note Added: 0006532
2014-02-07 16:49	Jens Erat	Status	resolved => feedback
2014-02-07 16:49	Jens Erat	Resolution	fixed => reopened
2014-02-07 17:00	Jens Erat	Note Added: 0006533
2014-02-07 17:00	Jens Erat	Status	feedback => assigned
2014-02-07 20:55	francis	Note Added: 0006535
2014-02-08 01:32	francis	Note Added: 0006536
2014-02-08 01:32	francis	Status	assigned => resolved
2014-02-08 01:32	francis	Resolution	reopened => fixed
2016-07-04 18:48	ludovic	View Status	private => public

View Issue Details

Activities

Issue History