SOGo | BTS

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002598SOGoWeb Calendarpublic2014-02-04 11:092016-07-04 14:48
ReporterJens Erat 
Assigned Tofrancis 
PriorityurgentSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version2.1.1b 
Target Version2.2.0Fixed in Version2.2.0 
Summary0002598: Script injection in calendar title
DescriptionThe calendar title is vulnerable to script injections.
Steps To Reproduce- Go to calendar view
- Create new appointment
- In title, write <script> window.alert('bar'); </script>
- Open the appointment, an alert box telling "bar" will show up

Sometimes, the alert box also shows up in the calendar overview.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
User avatar (0006487)
francis (administrator)
2014-02-04 11:23

What browser do you use?
(0006493)
Jens Erat (reporter)
2014-02-04 13:55

We were able to reproduce the issue in Chrome/Chromium, Safari and Firefox, most current releases each.
User avatar (0006502)
francis (administrator)
2014-02-05 13:21

I can't reproduce the problem.

If I have the rights to modify the event, I'll have an input field with the value properly encoded with HTML entities. If I can only view the event, the title will also be properly encoded and the JavaScript won't be executed.
(0006503)
Jens Erat (reporter)
2014-02-05 13:32

I couldn't verify it against a newer nightly build containing the equal-sign-fix we reported in another bug, maybe the behavior changed. In a newer nightly build (updated today) I had to remove the semicolon, which got escaped and broke the javascript:

    <script> window.alert('bar') </script>

It still gets executed, both when looking at the calendar overview and the appointment details.
User avatar (0006505)
francis (administrator)
2014-02-05 16:11

Fixed.

See https://github.com/inverse-inc/sogo/commit/1a7fc2a0e90a19dfb1fce292ae5ff53aa513ade9 [^]
(0006532)
Jens Erat (reporter)
2014-02-07 11:49

I can confirm the bug being fixed for appointments, but a similar problem seems to exist with contacts and the bugfix introduced some encoding problems.

Example of the encoding issues (string seems to be HTML-encoded twice):

http://images.jenserat.de/2014-02-07_1746.png [^]


How to reproduce the code injection with contacts:

- Create contact, save
- Reopen contact
- Add injection code, for example in the "Display" name field (`<script> window.alert('1') </script>`)
- Save
- Alert box pops up
(0006533)
Jens Erat (reporter)
2014-02-07 12:00

Encoding problems also apply to reminder alerts.
User avatar (0006535)
francis (administrator)
2014-02-07 15:55

More fixes :

https://github.com/inverse-inc/sogo/commit/80a09407652ec04e8c9fb6cb48e1029e69a15765 [^]
https://github.com/inverse-inc/sogo/commit/3a5e44e7eb8b390b67a8f8a83030b49606956501 [^]
User avatar (0006536)
francis (administrator)
2014-02-07 20:32

Added HTML escaping in CSS dialogs.

See https://github.com/inverse-inc/sogo/commit/c94595ea7f0f843c2d7abf25df039b2bbe707625 [^]

- Issue History
Date Modified Username Field Change
2014-02-04 11:09 Jens Erat New Issue
2014-02-04 11:23 francis Note Added: 0006487
2014-02-04 13:55 Jens Erat Note Added: 0006493
2014-02-05 13:21 francis Note Added: 0006502
2014-02-05 13:32 Jens Erat Note Added: 0006503
2014-02-05 13:47 francis Target Version => 2.2.0
2014-02-05 16:11 francis Note Added: 0006505
2014-02-05 16:11 francis Status new => resolved
2014-02-05 16:11 francis Fixed in Version => 2.2.0
2014-02-05 16:11 francis Resolution open => fixed
2014-02-05 16:11 francis Assigned To => francis
2014-02-07 11:49 Jens Erat Note Added: 0006532
2014-02-07 11:49 Jens Erat Status resolved => feedback
2014-02-07 11:49 Jens Erat Resolution fixed => reopened
2014-02-07 12:00 Jens Erat Note Added: 0006533
2014-02-07 12:00 Jens Erat Status feedback => assigned
2014-02-07 15:55 francis Note Added: 0006535
2014-02-07 20:32 francis Note Added: 0006536
2014-02-07 20:32 francis Status assigned => resolved
2014-02-07 20:32 francis Resolution reopened => fixed
2016-07-04 14:48 ludovic View Status private => public


Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker