Please fix the exploit, thanks! CVE-2022-29360 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29360 https://www.ddosi.org/cve-2022-29360/ https://www.youtube.com/watch?v=6dSiQH0pijk

[Weltolk]

RainLoop version, browser, OS:
RainLoop v1.16.0 latest version
Expected behavior and actual behavior:

Steps to reproduce the problem:

Logs or screenshots:

CVE-2022-29360

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29360

https://www.ddosi.org/cve-2022-29360/

https://www.youtube.com/watch?v=6dSiQH0pijk

[corsch]

https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw/

Patch

At the time of writing, no official patch is available. We recommend the RainLoop fork SnappyMail. It has great security improvements and is actively maintained. We would like to thank the maintainers of this fork for their quick response and analysis of this issue. They confirmed to us that they are not affected. For this reason, we recommend users of RainLoop migrate to SnappyMail in the long term.

To help in the short term, we encourage users to apply the following inofficial patch that we developed (please carefully use at your own risk):

[Philippe34]

Hi @Corsh,
Thanks for the patch. I applied and it works good.

# patch -i rainloop_xss.patch ../rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php

However, this patch requires PHP 7

I don't know if I could switch to SnappyMail, because I need the plugin ldap-change-password that I had modified to generate extra password for samba attributes : sambaNTPassword and sambaLMPassword.

Fortunately you are here to help us on Rainloop !

[sadsfae]

I had the following error with the sonarsource patch for this on 1.16.0

[root@host rainloop]# patch -i rainloop.patch rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php
patching file rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php
patch: **** malformed patch at line 12: @@ -250,7 +251,7 @@

Here is a patch for 1.16.0 which should work if anyone has the same problem:

--- /root/HtmlUtils.php 2022-07-24 11:59:52.853660650 -0400
+++ rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php   2022-07-24 12:12:32.276071692 -0400
@@ -239,7 +239,8 @@
                                $oWrapHtml->setAttribute($sKey, $sValue);
                        }
 
-                       $oWrapDom = $oDom->createElement('div', '___xxx___');
+                       $rand_str = base64_encode(random_bytes(32));
+                       $oWrapDom = $oDom->createElement('div', $rand_str);
                        $oWrapDom->setAttribute('data-x-div-type', 'body');
                        foreach ($aBodylAttrs as $sKey => $sValue)
                        {
@@ -250,7 +251,7 @@
 
                        $sWrp = $oDom->saveHTML($oWrapHtml);
 
-                       $sResult = \str_replace('___xxx___', $sResult, $sWrp);
+                       $sResult = \str_replace($rand_str, $sResult, $sWrp);
                }
 
                $sResult = \str_replace(\MailSo\Base\HtmlUtils::$KOS, ':', $sResult);

[Neustradamus]

Please use SnappyMail from @the-djmaze, we can thanks for this work!

• https://snappymail.eu/
• https://github.com/the-djmaze/snappymail/

Please note that SnappyMail supports SCRAM-SHA-* for connection, very good security:

• SCRAM-SHA-1-PLUS + SCRAM-SHA-256-PLUS + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports the-djmaze/snappymail#182
• https://github.com/the-djmaze/snappymail/blob/master/snappymail/v/0.0.0/app/libraries/RainLoop/Model/Account.php

Linked to:

• RainLoop is dead, if possible switch to SnappyMail: https://github.com/the-djmaze/snappymail #2185
• Sec: Fix CVE-2022-29360 XSS vulnerability #2183
• Please fix the exploit, thanks! CVE-2022-29360 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29360 https://www.ddosi.org/cve-2022-29360/ https://www.youtube.com/watch?v=6dSiQH0pijk #2180
• Jan 2022: Is rainloop still maintained? #2162
• Security Contact for high severity Security Issue #2142
• Security Vulnerability "/_data_/…/storage/cfg/…/…/accounts" #2134
• Is this project dead? #1831