View Issue Details

Related ChangesetsJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0003718SOGoWeb Calendarpublic2016-06-07 12:342016-07-04 18:48
Reporterfgrunow Assigned Tofrancis  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version3.0.2 
Fixed in Version3.1.3 
Summary0003718: Persistent Cross-Site Scripting in calendar
Description

There is a persistent Cross-Site Scripting (XSS) in the calendar of the SOGo Web UI. When creating a calendar entry containing script code and viewing the raw entry in the Web UI the script code gets executed.

Steps To Reproduce

1) Create a calendar entry like the one attached in the screenshot below. I used thunderbird for this, XSS might also trigger if you do this in SOGo diretly. Did not try.

2) View the entry in SOGo. Click on "View Raw Source".

3) JavaScript payload will be executed in the browser.

Additional Information

Vulnerable fields:
1) Description
2) Location
3) URL
4) Title

This seems to be a DOM-based XSS. As SOGo is doing a pretty good job in encoding malicious data in many other places I guess you know how to fix this.

For further information:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

TagsNo tags attached.

Activities

fgrunow

fgrunow

2016-06-07 12:34

reporter  

persistent_xss_sogo_calendar_viewraw_trigger_fg.png (67,413 bytes)   
persistent_xss_sogo_calendar_viewraw_trigger_fg.png (67,413 bytes)   
fgrunow

fgrunow

2016-06-07 12:35

reporter  

persistent_xss_sogo_calendar_viewraw1_fg.png (43,980 bytes)   
persistent_xss_sogo_calendar_viewraw1_fg.png (43,980 bytes)   
fgrunow

fgrunow

2016-06-07 12:35

reporter  

persistent_xss_sogo_calendar_viewraw_fg.png (106,998 bytes)   
persistent_xss_sogo_calendar_viewraw_fg.png (106,998 bytes)   

Related Changesets

sogo: master 64ce3c9c

2016-06-08 16:06

francis


Details Diff		 Escape HTML in raw source of events and tasks

Fixes 0003718		 Affected Issues
0003718
mod - NEWS Diff File
mod - UI/Scheduler/UIxComponentEditor.m Diff File
mod - UI/WebServerResources/js/Scheduler/ComponentController.js Diff File

Issue History

Date Modified Username Field Change
2016-06-07 12:34 fgrunow New Issue
2016-06-07 12:34 fgrunow File Added: persistent_xss_sogo_calendar_viewraw_trigger_fg.png
2016-06-07 12:35 fgrunow File Added: persistent_xss_sogo_calendar_viewraw1_fg.png
2016-06-07 12:35 fgrunow File Added: persistent_xss_sogo_calendar_viewraw_fg.png
2016-06-08 20:08 francis Changeset attached => sogo master 64ce3c9c
2016-06-08 20:08 francis Assigned To => francis
2016-06-08 20:08 francis Resolution open => fixed
2016-06-08 20:09 francis Status new => resolved
2016-06-08 20:09 francis Fixed in Version => 3.1.3
2016-07-04 18:48 ludovic View Status private => public