Security Contact for high severity Security Issue

[simon-scannell-sonarsource]

Hi,

At SonarSource, we are equally driven by studying and understanding real-world vulnerabilities and by helping the open-source community secure their projects.

We have detected and verified a high-severity security vulnerability in the latest version of Rainloop that we would like to responsibly disclose to help protect users. However, we were unable to find the right security contact to send our report to. Can you please direct us to the right team or person? We have also sent an eMail to support@rainloop.net regarding this issue but have not yet received a reply.

Best regards,
Simon

[simon-scannell-sonarsource]

Hi,

Since we have not received a response on multiple channels (this issue and an email to support@rainloop.net), we are following up with you. We are also happy to provide assistance in the patch process and help review any changes.
We usually make details of a vulnerability report public 90 days after delivering the Security Vulnerability details to a Security Contact. This industry-standard is well documented here: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html

However, since we have not received a response and have not been redirected to a Security Contact, we will make the details of our Security Advisory public in 60 days from now on.

Best regards,
Simon

[cm-schl]

Hi @simon-scannell-sonarsource please keep us updated also in this issue, thanks!

[gramakri]

There is a patch at https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw

[athos-ribeiro]

Hi, @simon-scannell-sonarsource .

Thanks for the write-up and the patch in the blog post.

To be able to re-distribute rainloop with the fix from your blog post at https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw/, it would be nice to have a license attributed to that patch, in case you are willing to license it under a FLOSS license.

Would it be possible to add a disclaimer to that blog post adding such license to that patch? Ideally, AGPLv3 would make the most out of it so it is compatible with the rest of the rainloop source code.

[simon-scannell-sonarsource]

Hi @athos-ribeiro ,

I am happy to add a license to the patch if it helps secure more instances. I admin, I have no experience with adding licenses to code etc.

Assuming it is just a disclaimer, could you give me an example I can use? I will add it to the blog post then.

Thank you!
Simon

[athos-ribeiro]

Hi @simon-scannell-sonarsource ,

While IANAL, I believe that the following steps should suffice for redistribution:

For the blog post, you could add the license disclaimer, as described in the end of
the AGPL license itself at https://www.gnu.org/licenses/agpl-3.0.txt:

    <one line to give the program's name and a brief idea of what it does.>
    Copyright (C) <year>  <name of author>

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU Affero General Public License for more details.

Do remember to change the copyright information above to list either you or your employer.

Then you can also add a link to the full license as well (https://www.gnu.org/licenses/agpl-3.0.txt).

Optionally, for completeness, you could file a PR in this repository with your patch (the commit message could contain the URL to your blog post in this case).

Once again, thanks for your work and thank you for addressing this licensing matter!

[Neustradamus]

Please use SnappyMail from @the-djmaze, we can thanks for this work!

• https://snappymail.eu/
• https://github.com/the-djmaze/snappymail/

Please note that SnappyMail supports SCRAM-SHA-* for connection, very good security:

• SCRAM-SHA-1-PLUS + SCRAM-SHA-256-PLUS + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports the-djmaze/snappymail#182
• https://github.com/the-djmaze/snappymail/blob/master/snappymail/v/0.0.0/app/libraries/RainLoop/Model/Account.php

Linked to:

• RainLoop is dead, if possible switch to SnappyMail: https://github.com/the-djmaze/snappymail #2185
• Sec: Fix CVE-2022-29360 XSS vulnerability #2183
• Please fix the exploit, thanks! CVE-2022-29360 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29360 https://www.ddosi.org/cve-2022-29360/ https://www.youtube.com/watch?v=6dSiQH0pijk #2180
• Jan 2022: Is rainloop still maintained? #2162
• Security Contact for high severity Security Issue #2142
• Security Vulnerability "/_data_/…/storage/cfg/…/…/accounts" #2134
• Is this project dead? #1831

[gramakri]

It seems this is now fixed slightly different with https://github.com/RainLoop/rainloop-webmail/blame/master/rainloop/v/0.0.0/app/libraries/MailSo/Base/HtmlUtils.php#L242 (was part of the MIT release commit)