From reading a little bit of the code it sounds like Roundcube's sanitizer is much closer to a blacklist than a whitelist. Any attempt to sanitize HTML with a blacklist is doomed to failure. Even if you read the current HTML spec (including referenced specs like SVG) and do a perfect job there are additions over time that you will be vulnerable to.
Probably any unknown element attribute pair should be stripped by default. And that's still not considering different "namespaces" such as SVG and MathML that you need to be careful with.
SVGs are just the tip of the iceberg of how hard it is to sanitize email content. There aren't any purpose-built good libraries for email sanitization either. Something that would handle SVG, CSS, HTML, everything.
Slightly related, but fraudsters love using .svg attachments, typically the mails purport to be for an invoice which you need to log into your Microsoft account to be able to “securely” view.
I’m not sure if Exchange Online doesn’t scan them or something, but I landed up making a rule which blocks all emails with either .svg or .htm(l) attachments and to notify me when blocked.
Happens a couple of times per month for the our small company, no false positives yet.
Too bad CORS doesn't fix this. It would be awesome to be able to sandbox a page completely.
Hmm, I wonder, if roundcube was the exception (w.r.t feImage), or if soon other webmail clients will need to be patched
Not disputing the article, nor insinuating that there's some ulterior motive, but it's curious that this blog has only one post; and the About page suggests a lengthier history (with references to what would have been previous posts).
Nice catch!
I am trying to read as less _online_ as possible nowadays. I essentially have dovecot in my crontab, and read it off roundcube. It's been working great, RoundCube is dead simple to setup and use, the UI and search are very fast.
SVGs are such an amazing attack vector. Nearly every webapp I've seen that allows image or SVG uploads is vulnerable to XSS. If the Roundcube implementation allows for remote image fetching, it's probably worth checking it for XSS vulnerabilities.
Also: what's the legal status of this kind of tracking? How does it jibe with the GDPR?
You disclosed this the day roundcube was patched. Isn’t it usual to give us time to deploy updates before disclosing details?!
whatever happened to read receipts? I wouldn't mind allowing a sender who wants to know if I've opened their email, access to a read receipt about it.
I often think the best way to defeat email open tracking would be for a mainstream email client to prefetch every image when a non-spam email is received and cache it for 72 hours or so.
Every email gets flagged as “opened,” so the flag is meaningless, and recipients can see the images without triggering a tracker.