Possible vulnerability Injected into the "_action".

[betoxsido]

Hi all,

After performing a vulnerability scan, has been detected a possible vulnerability "spider-code-injection" in the url login:

Injected into the "_action" form parameter (Using method POST) on https://xxxx.xxxx.xxxx.xxxx/?_task=login:

41: @licend The above is the entire license notice
42: for the JavaScript code in this page.
43: */
44: var rcmail = new rcube_webmail();
45: ...action":"print838582532838582532","comm_path":".\/?_task=login","co...

-------------------------------------------------------------------------------------------------------------------
Injected into the "_action" form parameter (Using method GET) on https://xxxx.xxxx.xxxx.xxxx/?_task=login:

41: @licend The above is the entire license notice
42: for the JavaScript code in this page.
43: */
44: var rcmail = new rcube_webmail();
45: ...action":"print838582532838582532","comm_path":".\/?_task=login","co...

Is there a risk for an injection of commands?? How can i protect the information coming to the server?

Thanks! King regards.

[JohnDoh]

I'm interested what about that you think is vulnerable.

The input is sanitised, so you cannot insert actual code and invalid actions are ignored. There is CSRF protection built in to Roundcube but if you want you can enable secure URLs for additional security see, https://github.com/roundcube/roundcubemail/blob/master/config/defaults.inc.php#L627

I suppose because the value is put into rcmai.env.action there could be a way to get roundcube actions executed from inside the application - like a button was clicked or something else done in Roundcube which used the value from rcmail.env.action but there is no way to specify the particular parameters for that action and so It would fail.