View Issue Details

IDProjectCategoryView StatusLast Update
0002598SOGoWeb Calendarpublic2016-07-04 14:48
ReporterJens Erat Assigned Tofrancis  
PriorityurgentSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2.1.1b 
Target Version2.2.0Fixed in Version2.2.0 
Summary0002598: Script injection in calendar title
Description

The calendar title is vulnerable to script injections.

Steps To Reproduce
  • Go to calendar view
  • Create new appointment
  • In title, write <script> window.alert('bar'); </script>
  • Open the appointment, an alert box telling "bar" will show up

Sometimes, the alert box also shows up in the calendar overview.

TagsNo tags attached.

Activities

francis

francis

2014-02-04 11:23

administrator   ~0006487

What browser do you use?

Jens Erat

Jens Erat

2014-02-04 13:55

reporter   ~0006493

We were able to reproduce the issue in Chrome/Chromium, Safari and Firefox, most current releases each.

francis

francis

2014-02-05 13:21

administrator   ~0006502

I can't reproduce the problem.

If I have the rights to modify the event, I'll have an input field with the value properly encoded with HTML entities. If I can only view the event, the title will also be properly encoded and the JavaScript won't be executed.

Jens Erat

Jens Erat

2014-02-05 13:32

reporter   ~0006503

I couldn't verify it against a newer nightly build containing the equal-sign-fix we reported in another bug, maybe the behavior changed. In a newer nightly build (updated today) I had to remove the semicolon, which got escaped and broke the javascript:

&lt;script> window.alert('bar') &lt;/script>

It still gets executed, both when looking at the calendar overview and the appointment details.

francis

francis

2014-02-05 16:11

administrator   ~0006505

Fixed.

See https://github.com/inverse-inc/sogo/commit/1a7fc2a0e90a19dfb1fce292ae5ff53aa513ade9

Jens Erat

Jens Erat

2014-02-07 11:49

reporter   ~0006532

I can confirm the bug being fixed for appointments, but a similar problem seems to exist with contacts and the bugfix introduced some encoding problems.

Example of the encoding issues (string seems to be HTML-encoded twice):

http://images.jenserat.de/2014-02-07_1746.png

How to reproduce the code injection with contacts:

  • Create contact, save
  • Reopen contact
  • Add injection code, for example in the "Display" name field (&lt;script> window.alert('1') &lt;/script>)
  • Save
  • Alert box pops up
Jens Erat

Jens Erat

2014-02-07 12:00

reporter   ~0006533

Encoding problems also apply to reminder alerts.

francis

francis

2014-02-07 15:55

administrator   ~0006535

More fixes :

https://github.com/inverse-inc/sogo/commit/80a09407652ec04e8c9fb6cb48e1029e69a15765
https://github.com/inverse-inc/sogo/commit/3a5e44e7eb8b390b67a8f8a83030b49606956501

francis

francis

2014-02-07 20:32

administrator   ~0006536

Added HTML escaping in CSS dialogs.

See https://github.com/inverse-inc/sogo/commit/c94595ea7f0f843c2d7abf25df039b2bbe707625

Issue History

Date Modified Username Field Change
2014-02-04 11:09 Jens Erat New Issue
2014-02-04 11:23 francis Note Added: 0006487
2014-02-04 13:55 Jens Erat Note Added: 0006493
2014-02-05 13:21 francis Note Added: 0006502
2014-02-05 13:32 Jens Erat Note Added: 0006503
2014-02-05 13:47 francis Target Version => 2.2.0
2014-02-05 16:11 francis Note Added: 0006505
2014-02-05 16:11 francis Status new => resolved
2014-02-05 16:11 francis Fixed in Version => 2.2.0
2014-02-05 16:11 francis Resolution open => fixed
2014-02-05 16:11 francis Assigned To => francis
2014-02-07 11:49 Jens Erat Note Added: 0006532
2014-02-07 11:49 Jens Erat Status resolved => feedback
2014-02-07 11:49 Jens Erat Resolution fixed => reopened
2014-02-07 12:00 Jens Erat Note Added: 0006533
2014-02-07 12:00 Jens Erat Status feedback => assigned
2014-02-07 15:55 francis Note Added: 0006535
2014-02-07 20:32 francis Note Added: 0006536
2014-02-07 20:32 francis Status assigned => resolved
2014-02-07 20:32 francis Resolution reopened => fixed
2016-07-04 14:48 ludovic View Status private => public