Researchers Have Identified a Cross-Site Scripting Vulnerability Prajeet Nair (@prajeetspeaks) • April 22, 2022 Attackers gain full control over a session if an email is viewed. (Source: RainLoop website)
Researchers have uncovered a code vulnerability in RainLoop, an open-source webmail client used by several organizations to exchange sensitive messages and files via email. Security researchers at SonarSource say that this vulnerability allows attackers to steal emails from the inboxes of victims.
As described by Simon Scannell, a vulnerability researcher at SonarSource, an attacker can exploit the code vulnerability simply by sending a malicious email to a victim that uses RainLoop as a mail client.
Uncovering the Vulnerability
“When the email is viewed by the victim, the attacker gains full control over the session of the victim and can steal any of their emails, including those that contain highly sensitive information such as passwords, documents, and password reset links,” Scannell says.
The discovered code flaw is a Stored Cross Site-Scripting, or XSS, vulnerability tracked as CVE-2022-29360 and affects version v1.16.0 of RainLoop, which was released in May 2021.
A Stored XSS occurs when a malicious script is injected directly into a vulnerable web application.
At the time of writing, Scannell says that no official patch is available, and the vulnerability can be exploited in any RainLoop installation that runs with default configurations.
SonarSource says that it first contacted RainLoop about the flaw on Nov. 30, 2021, but it received no response. Subsequently, the researchers created a GitHub issue on Dec. 6, 2021, but they say that as yet there has been no response.
Finally, researchers contacted RainLoop on Jan. 1, 2022, via email and the GitHub issue, to inform it about the 90-day disclosure policy, but still there was no response from the vendor.
A spokesperson for RainLoop was not immediately available to comment.
Scannell says that RainLoop’s back end is a PHP application, which acts as a proxy between a user and their mail server. “Similar to mail clients, such as Thunderbird, it enables a user to log into a mail server, fetch emails, view them, and send emails,” he says.
“SonarSource researchers have sounded the alarm that the vulnerability is exploitable if a victim receives a malicious email. Now the call is out for defenders to adapt, innovate faster and thrive. Even though a patch doesn’t exist today, the silver lining is that Sonar has developed a patch that will provide organizations with the necessary time to assess if RainLoop is a risk to them,” Sam Curry, chief security officer at Cybereason, tells Information Security Media Group.
Since RainLoop is a web application, it renders incoming emails to HTML code, Scannell says. The application also needs to ensure that the rendered HTML code is validated and does not contain any unsafe links or malicious components.
Scannell describes how RainLoop deploys the given flow to achieve this:
- Receive untrusted HTML code from the mail server.
- Create an instance of the built-in DOMDocument class in PHP, which parses HTML into a tree structure of HTML elements and their attributes.
- Depending on the configuration, allow or deny any dangerous contents in the tree structure.
- Convert a sanitized tree structure of the DOMDocument into HTML code.
“Intuitively, it makes sense to analyze the code that attempts to remove any dangerous HTML code […] and find a weakness inside of that code to bypass the sanitizer. However, our experience has shown there are often logic bugs after the sanitization steps have been performed. From the security researcher’s point of view, they are much easier to spot and are often overlooked by developers,” Scannell says.
Researchers recommend that developers do not modify any data once it has been sanitized, as that could reverse the sanitization step.
Scannell also recommends working with a DOM tree object instead of operating on HTML text, which leaves much more room for mistakes.
Avishai Avivi, chief information security officer at cybersecurity firm SafeBreach, says that based on the available information, it seems that the RainLoop product is no longer actively maintained or supported.
Avivi says that highlights three issues for which the vendor is responsible: legacy code, technical debt and third-party risk management.
“While, arguably, RainLoop is offered as a free version, it probably did sell in the past. There is no explicit indication that the product is no longer maintained or supported. The responsible action by the RainLoop team would have been to indicate this so that users avoid downloading, installing and using a tool that is no longer maintained,” Avivi says.
Many companies deal with legacy code and technical debt issues. Avivi says companies may have multiple reasons for not addressing the issue of old codes and products that have fallen out of support. But, he says that as a result, the problem tends to grow rather than to go away.
“This does have the potential to blow up when a vulnerability is found and there is no one left in the company that can address it,” Avivi says.
He says that companies must consider the risk of leveraging software or code from open sources and must account for any critical dependencies on such code and address them in relevant business continuity considerations.