SOGo | BTS

View Issue Details Jump to Notes ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004764SOGoWeb Mailpublic2019-06-08 16:342019-06-10 13:38
Reporterr-mach 
Assigned Tofrancis 
PriorityimmediateSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version4.0.7 
Target VersionFixed in Version4.0.8 
Summary0004764: Security issue related to links opened via webmail
DescriptionHello,

As a lot of companies (as of mine) are currently using your webmail for corporation purposes (or SaaS models), the urge to provide a fix to this vulnerability feels very high at the moment.

The vulnerability is quite simple to understand : no rel="noopener" are automatically added to xx sent and received through the webmail.
This allows in the worst case malicious users to execute Javascript code through the window.opener variable on opened links directly inside the webmail, and in the most easiest case, to simply redirect users to a phishing fake webmail, asking them to log in again.

I tried this on our corporate webmail and managed to fool most of the people with this.
Also, this currently works on other solutions depending on SOGo (iredmail, ...) and even SaaS systems (gandi.net for instance) on which I successfuly applied this exploit.

For more details : https://mathiasbynens.github.io/rel-noopener/ [^]
Steps To ReproduceOpen your SOGo webmail, and send a mail to yourself using source mode, containing this :

https://mathiasbynens.be/demo/opener [^]

Then, open the mail in the webmail and click the link.
Now, see by yourself what happened on your SOGo tab.
Additional InformationRĂ©mi MACH - SecOps engineering @ Log'in Line (www.loginline.com)
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
(0013626)
r-mach (reporter)
2019-06-08 16:37

the link was (< a href = " https://mathiasbynens.be/demo/opener [^] " target = " _blank " > Click here < / a >

(Remove the useless whitespaces).
As you can see if you click on the [^] link, this bugtracker is also vulnerable...

- Related Changesets
sogo: master 0e918a44
Timestamp: 2019-06-10 13:19:46
Author: francis
Details ] Diff ]
Add rel="noopener" to external links

Fixes 0004764
mod - NEWS Diff ] File ]
mod - SoObjects/SOGo/NSString+Utilities.m Diff ] File ]
mod - UI/MailPartViewers/UIxMailPartHTMLViewer.m Diff ] File ]
mod - UI/Templates/ContactsUI/UIxContactViewTemplate.wox Diff ] File ]
mod - UI/Templates/SchedulerUI/UIxAppointmentViewTemplate.wox Diff ] File ]
mod - UI/Templates/SchedulerUI/UIxTaskViewTemplate.wox Diff ] File ]
mod - UI/WebServerResources/js/Common/txt2html.filter.js Diff ] File ]

- Issue History
Date Modified Username Field Change
2019-06-08 16:34 r-mach New Issue
2019-06-08 16:37 r-mach Note Added: 0013626
2019-06-10 13:21 francis Changeset attached => sogo master 0e918a44
2019-06-10 13:21 francis Assigned To => francis
2019-06-10 13:21 francis Resolution open => fixed
2019-06-10 13:38 francis Status new => resolved
2019-06-10 13:38 francis Fixed in Version => 4.0.8


Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker