Samuel Abels
-
2007-09-09
- priority: 5 --> 9
Menu
▾
▴
#83 Javascript Injection
JawMail executes Javascript code that is contained in the name of the sender of an email.
An example for the sender field:
"<script language='javascript'>alert('ouch');</script>" <my@email.com>
I have not checked the CC and BCC fields, but I suspect they are vulnerable as well.
Also, I noticed a problem with the way in which the body of an email is formatted. JawMail automatically formats URLs that are contained in the body of an email such that they are clickable links. The formatting is done in the following order:
1. Replace URLs by <a href="...">...</a>.
2. Insert line breaks into the body. This may destroy the tags inserted in the previous step, if a line break is added in the middle of a tag.
As a result, the line after such a line break contains a single ">". This alone is not a security bug, but may turn into one if somebody finds a way to insert the missing leading "<", so it should better be fixed.
