[clug] Security: RoundCube Webmail Exploit
David Tulloh
david at tulloh.id.au
Sat Apr 25 03:21:43 GMT 2009
Cody Appleby wrote:
> Hi Guys,
>
> Just advising everyone that there is an explot that effects RoundCube
> Webmail v0.2 stable and below,
> I was recently attacked using this and its not nice,
> I advise everyone to upgrade to the latest 0.2.1 asap!
>
> The patch is included in 0.2.1 or the trunk release :)
>
> The exploit is to do with bin/html2text.php
>
>
The exploit is that the (widely used) html2text library contains an eval
bug so any variable passed to it can be used to execute arbitrary PHP
code. Roundcube was passing in raw POST data allowing it to be exploited.
The patch Cody supplied is a very dodgy fix for it. It simply requires
a valid login before executing the same code so while a stranger can't
break in, any of your users can execute arbitrary PHP code.
The proper fix is to stop evaluating the passed text. Roundcube fixed
this four months ago and any release since then should not be vulnerable.
Proper patch: http://trac.roundcube.net/changeset/2148
David
More information about the linux
mailing list