0002368: Persistant XSS in sender field. - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0002368	SOGo	Web Mail	public	2013-07-15 13:17	2013-07-16 15:33

Reporter	ispoljaric	Assigned To
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.0.6
Fixed in Version	2.0.7

Summary	0002368: Persistant XSS in sender field.
Description	If the evil guy sends an email with From header with following code(1), the web interface will render both the image and execute DOM event (tested with onload and onmouseover). 1)"<IMG onmouseover="alert('foo');" SRC=http://i.imgur.com/Spxb03S.jpg>"
Steps To Reproduce	Im using thunderbird, but it could be done manually, scripted or with another email client. Steps to reproduce with thunderbird: 1) Change the from header to the malicious code with Edit->Account Settings-> Your Name and enter : <IMG onmouseover="alert('foo');" SRC=http://i.imgur.com/Spxb03S.jpg> 2) Send a normal email to your sogo email address. 3) Open Sogo WebUI, popup appears, depending if its onmouseover or onload.
Additional Information	Screenshot provided in attachment.
Tags	No tags attached.

Date Modified	Username	Field	Change
2013-07-15 13:17	ispoljaric	New Issue
2013-07-15 13:17	ispoljaric	File Added: sogo_xss_test.png
2013-07-16 15:33	ludovic	Note Added: 0005750
2013-07-16 15:33	ludovic	Status	new => closed
2013-07-16 15:33	ludovic	Resolution	open => fixed
2013-07-16 15:33	ludovic	Fixed in Version	=> 2.0.7

2013-07-15 13:17	sogo_xss_test.png (338,402 bytes)

ludovic 2013-07-16 15:33 reporter ~0005750	https://github.com/inverse-inc/sogo/commit/e08ebd2390ad81bcf7d63c200de85eddbf80bcd6