Open Weltolk opened 2 years ago
https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw/
Patch
At the time of writing, no official patch is available. We recommend the RainLoop fork SnappyMail. It has great security improvements and is actively maintained. We would like to thank the maintainers of this fork for their quick response and analysis of this issue. They confirmed to us that they are not affected. For this reason, we recommend users of RainLoop migrate to SnappyMail in the long term.
To help in the short term, we encourage users to apply the following inofficial patch that we developed (please carefully use at your own risk):
Hi @corsh, Thanks for the patch. I applied and it works good.
# patch -i rainloop_xss.patch ../rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php
However, this patch requires PHP 7
I don't know if I could switch to SnappyMail, because I need the plugin ldap-change-password that I had modified to generate extra password for samba attributes : sambaNTPassword and sambaLMPassword.
Fortunately you are here to help us on Rainloop !
I had the following error with the sonarsource patch for this on 1.16.0
[root@host rainloop]# patch -i rainloop.patch rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php
patching file rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php
patch: **** malformed patch at line 12: @@ -250,7 +251,7 @@
Here is a patch for 1.16.0
which should work if anyone has the same problem:
--- /root/HtmlUtils.php 2022-07-24 11:59:52.853660650 -0400
+++ rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php 2022-07-24 12:12:32.276071692 -0400
@@ -239,7 +239,8 @@
$oWrapHtml->setAttribute($sKey, $sValue);
}
- $oWrapDom = $oDom->createElement('div', '___xxx___');
+ $rand_str = base64_encode(random_bytes(32));
+ $oWrapDom = $oDom->createElement('div', $rand_str);
$oWrapDom->setAttribute('data-x-div-type', 'body');
foreach ($aBodylAttrs as $sKey => $sValue)
{
@@ -250,7 +251,7 @@
$sWrp = $oDom->saveHTML($oWrapHtml);
- $sResult = \str_replace('___xxx___', $sResult, $sWrp);
+ $sResult = \str_replace($rand_str, $sResult, $sWrp);
}
$sResult = \str_replace(\MailSo\Base\HtmlUtils::$KOS, ':', $sResult);
Please use SnappyMail from @the-djmaze, we can thanks for this work!
Please note that SnappyMail supports SCRAM-SHA-* for connection, very good security:
Linked to:
RainLoop version, browser, OS: RainLoop v1.16.0 latest version Expected behavior and actual behavior:
Steps to reproduce the problem:
Logs or screenshots:
CVE-2022-29360
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29360
https://www.ddosi.org/cve-2022-29360/
https://www.youtube.com/watch?v=6dSiQH0pijk