Summary
An attacker can attach an image in a html mail which is loaded from external resouce in the default setting, which should prevent loading of external resources.
Details
When displaying emails containing external content, they should be loaded by default only after confirmation by the user (see the following figure).
However, it could be recognized that certain embedded images (see PoC) are loaded, even though the "Automatic Reloading of Images" function is disabled by default. The reloading is also done unencrypted via HTTP and redirections are followed.
I have a guess that this has something to do with dompurify, as you use this to sanitize the data, but dompurify does not remove external embedded images.
PoC
- send an html mail with the following svg image
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="http://ahvw9qknip6davbd2yk9g441qswpkf84.oastify.com/SVG-inline-with-remote-image"/>
</svg>
- when recipient opens the mail, the external image is loaded
Impact
This behavior is unexpected for the user, since the user assumes that external content will only be loaded after explicit manual confirmation. The loading of external content in e-mails represents a risk, because this makes the sender aware that the e-mail address is used, when the e-mail was read, which device is used and expose the user's IP address.
79vt9v4 Finder
Summary
An attacker can attach an image in a html mail which is loaded from external resouce in the default setting, which should prevent loading of external resources.
Details
When displaying emails containing external content, they should be loaded by default only after confirmation by the user (see the following figure).
However, it could be recognized that certain embedded images (see PoC) are loaded, even though the "Automatic Reloading of Images" function is disabled by default. The reloading is also done unencrypted via HTTP and redirections are followed.
I have a guess that this has something to do with dompurify, as you use this to sanitize the data, but dompurify does not remove external embedded images.
PoC
Impact
This behavior is unexpected for the user, since the user assumes that external content will only be loaded after explicit manual confirmation. The loading of external content in e-mails represents a risk, because this makes the sender aware that the e-mail address is used, when the e-mail was read, which device is used and expose the user's IP address.