Roundcube Webmail Remote Image Blocking Bypass Vulnerability via SVG feImage

A vulnerability in Roundcube Webmail versions prior to 1.5.13 and 1.6 through 1.6.13 allows for the bypass of remote image blocking features. When the 'Block remote images' setting is enabled, the HTML sanitizer fails to properly handle SVG feImage elements, allowing remote images to be loaded and potentially used for tracking email opens. This issue arises because the sanitizer does not recognize feImage as an image attribute, instead treating it as a link, and thus fails to block external URLs as intended.

Impact

Exploitation of this vulnerability allows for remote image loading via SVG feImage elements, bypassing Roundcube's image blocking feature. This can be used to track email opens, as the remote server receives a notification when the image is loaded.

Reproduction

To reproduce this vulnerability, send an email containing an SVG with a feImage element that references an external image. Ensure that the 'Block remote images' setting is enabled in Roundcube. When the email is opened, the external image will be loaded despite the blocking setting, allowing for tracking of the email open.

Remediation

Users can update to Roundcube Webmail versions 1.5.13 or 1.6.13, both of which include the necessary fix. Instructions for updating can be found in the Roundcube documentation.