Headline
CVE-2023-47272: Fix cross-site scripting (XSS) vulnerability in setting Content-Type/… · roundcube/roundcubemail@5ec4968
Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).
Expand Up @@ -212,7 +212,7 @@ public function common_headers($privacy = true) }
/** * Send headers related to file downloads * Send headers related to file downloads. * * @param string $filename File name * @param array $params Optional parameters: Expand All @@ -225,34 +225,54 @@ public function common_headers($privacy = true) */ public function download_headers($filename, $params = []) { // For security reasons we validate type, filename and charset params. // Some HTTP servers might drop a header that is malformed or very long, this then // can lead to web browsers unintentionally executing javascript code in the body.
if (empty($params[‘disposition’])) { $params[‘disposition’] = 'attachment’; }
if ($params[‘disposition’] == ‘inline’ && stripos($params[‘type’], ‘text’) === 0) { $params[‘type’] .= ‘; charset=’ . ($params[‘type_charset’] ?: $this->charset); $ctype = 'application/octet-stream’; $disposition = $params[‘disposition’];
if (!empty($params[‘type’]) && is_string($params[‘type’]) && strlen($params[‘type’]) < 256 && preg_match('/^[a-z0-9!#$&.+^_-]+\/[a-z0-9!#$&.+^_-]+$/i’, $params[‘type’]) ) { $ctype = $params[‘type’]; }
header("Content-Type: " . (!empty($params[‘type’]) ? $params[‘type’] : “application/octet-stream”)); if ($disposition == ‘inline’ && stripos($ctype, ‘text’) === 0) { $charset = $this->charset; if (!empty($params[‘type_charset’]) && rcube_charset::is_valid($params[‘type_charset’])) { $charset = $params[‘type_charset’]; }
if ($params[‘disposition’] == ‘attachment’ && $this->browser->ie) { header(“Content-Type: application/force-download”); $ctype .= "; charset={$charset}"; }
$disposition = "Content-Disposition: " . $params[‘disposition’]; if (is_string($filename) && strlen($filename) > 0 && strlen($filename) <= 1024) { // For non-ascii characters we’ll use RFC2231 syntax if (!preg_match('/[^a-zA-Z0-9_.:,?;@+ -]/’, $filename)) { $disposition .= "; filename=\"{$filename}\""; } else { $filename = rawurlencode($filename); $charset = $this->charset; if (!empty($params[‘charset’]) && rcube_charset::is_valid($params[‘charset’])) { $charset = $params[‘charset’]; }
// For non-ascii characters we’ll use RFC2231 syntax if (!preg_match('/[^a-zA-Z0-9_.:,?;@+ -]/’, $filename)) { $disposition .= sprintf("; filename=\"%s\"", $filename); } else { $disposition .= sprintf("; filename*=%s’’%s", !empty($params[‘charset’]) ? $params[‘charset’] : $this->charset, rawurlencode($filename) ); $disposition .= "; filename*={$charset}’’{$filename}"; } }
header($disposition); header(“Content-Disposition: {$disposition}”); header(“Content-Type: {$ctype}”);
if ($params[‘disposition’] == ‘attachment’ && $this->browser->ie) { header(“Content-Type: application/force-download”); }
if (isset($params[‘length’])) { header("Content-Length: " . $params[‘length’]); Expand Down
Related news
Ubuntu Security Notice 6848-1 - Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly handled certain SVG images. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. Rene Rehme discovered that Roundcube incorrectly handled certain headers. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10.
Debian Linux Security Advisory 5572-1 - Rene Rehme discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly set headers when handling attachments. This would allow an attacker to load arbitrary JavaScript code.