View Issue Details

IDProjectCategoryView StatusLast Update
0004764SOGoWeb Mailpublic2019-06-10 13:38
Reporterr-mach Assigned Tofrancis  
PriorityimmediateSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.0.7 
Fixed in Version4.0.8 
Summary0004764: Security issue related to links opened via webmail
Description

Hello,

As a lot of companies (as of mine) are currently using your webmail for corporation purposes (or SaaS models), the urge to provide a fix to this vulnerability feels very high at the moment.

The vulnerability is quite simple to understand : no rel="noopener" are automatically added to xx sent and received through the webmail.
This allows in the worst case malicious users to execute Javascript code through the window.opener variable on opened links directly inside the webmail, and in the most easiest case, to simply redirect users to a phishing fake webmail, asking them to log in again.

I tried this on our corporate webmail and managed to fool most of the people with this.
Also, this currently works on other solutions depending on SOGo (iredmail, ...) and even SaaS systems (gandi.net for instance) on which I successfuly applied this exploit.

For more details : https://mathiasbynens.github.io/rel-noopener/

Steps To Reproduce

Open your SOGo webmail, and send a mail to yourself using source mode, containing this :

https://mathiasbynens.be/demo/opener

Then, open the mail in the webmail and click the link.
Now, see by yourself what happened on your SOGo tab.

Additional Information

RĂ©mi MACH - SecOps engineering @ Log'in Line (www.loginline.com)

TagsNo tags attached.

Activities

r-mach

r-mach

2019-06-08 16:37

reporter   ~0013626

the link was (< a href = " https://mathiasbynens.be/demo/opener " target = " _blank " > Click here < / a >

(Remove the useless whitespaces).
As you can see if you click on the [^] link, this bugtracker is also vulnerable...

Related Changesets

sogo: master 0e918a44

2019-06-10 13:19:46

francis

Details Diff
Add rel="noopener" to external links

Fixes 0004764
Affected Issues
0004764
mod - NEWS Diff File
mod - SoObjects/SOGo/NSString+Utilities.m Diff File
mod - UI/MailPartViewers/UIxMailPartHTMLViewer.m Diff File
mod - UI/Templates/ContactsUI/UIxContactViewTemplate.wox Diff File
mod - UI/Templates/SchedulerUI/UIxAppointmentViewTemplate.wox Diff File
mod - UI/Templates/SchedulerUI/UIxTaskViewTemplate.wox Diff File
mod - UI/WebServerResources/js/Common/txt2html.filter.js Diff File

Issue History

Date Modified Username Field Change
2019-06-08 16:34 r-mach New Issue
2019-06-08 16:37 r-mach Note Added: 0013626
2019-06-10 13:21 francis Changeset attached => sogo master 0e918a44
2019-06-10 13:21 francis Assigned To => francis
2019-06-10 13:21 francis Resolution open => fixed
2019-06-10 13:38 francis Status new => resolved
2019-06-10 13:38 francis Fixed in Version => 4.0.8