CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using CiviMail (Moderator: Piotr Szotkowski) »
  • Cross site scripting (XSS) vulnerabilties with Civimail
Pages: [1]

Author Topic: Cross site scripting (XSS) vulnerabilties with Civimail  (Read 1163 times)

Dennis Gray

  • Ask me questions
  • ****
  • Posts: 472
  • Karma: 1
  • CiviCRM version: Various. See post.
  • CMS version: Drupal, Wordpress and Joomla. See post.
  • MySQL version: TBA
  • PHP version: TBA
Cross site scripting (XSS) vulnerabilties with Civimail
April 04, 2010, 11:25:20 pm
I'm looking for a discussion of how Civimail protects against cross site scripting. Are there any recommendations?

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: Cross site scripting (XSS) vulnerabilties with Civimail
April 05, 2010, 01:23:34 am
Why specifically CiviMail ? CiviCRM in general uses a IDS.

If you think you have identified a security vulnerability, please contact by email someone for civicrm.

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

Dennis Gray

  • Ask me questions
  • ****
  • Posts: 472
  • Karma: 1
  • CiviCRM version: Various. See post.
  • CMS version: Drupal, Wordpress and Joomla. See post.
  • MySQL version: TBA
  • PHP version: TBA
Re: Cross site scripting (XSS) vulnerabilties with Civimail
April 05, 2010, 02:22:27 am
Because of our environment, we are most particularly concerned with Civimail. We have not identified any vulnerabilities but want to know if there has been a discussion on this topic.

Piotr Szotkowski

  • Moderator
  • I live on this forum
  • *****
  • Posts: 1497
  • Karma: 57
Re: Cross site scripting (XSS) vulnerabilties with Civimail
April 06, 2010, 07:32:11 am
The CiviMail admin interface should be protected in the same way as the rest of the CiviCRM pages (i.e., via IDS).

The return channel handling mechanism (CiviMail Processor) only checks the headers of the messages by parsing the emails via ezComponents’ library, and bounce bodies are only matched against regular expression checks to guess the type of the bounce. The forwards/replies are also handled by simply reformating the emails, without actually executing anything in them.

The action URLs (for un/re/subscribe, opt-out, etc.) are checked for the various id numbers, but these are always required to be integers.

Not sure whether we do anything else specific to CiviMail.
If you found the above helpful, please consider helping us in return – you can even steer CiviCRM’s future and help us extend CiviCRM in ways useful to you.

kaaloo

  • Guest
Re: Cross site scripting (XSS) vulnerabilties with Civimail
April 06, 2010, 08:10:02 am
Are email headers displayed in the civi admin interface ?  Will they be automatically sanitized by the IDS ?
Luis

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: Cross site scripting (XSS) vulnerabilties with Civimail
April 06, 2010, 12:27:47 pm
right now, they aren't

and any incoming email is entity escaped (ie unreadable, but safe ;)
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using CiviMail (Moderator: Piotr Szotkowski) »
  • Cross site scripting (XSS) vulnerabilties with Civimail

This forum was archived on 2017-11-26.