[clug] Security: RoundCube Webmail Exploit

David Tulloh david at tulloh.id.au
Sat Apr 25 03:21:43 GMT 2009

Cody Appleby wrote:
> Hi Guys, 
> Just advising everyone that there is an explot that effects RoundCube
> Webmail v0.2 stable and below,
> I was recently attacked using this and its not nice,
> I advise everyone to upgrade to the latest 0.2.1 asap!
> The patch is included in 0.2.1 or the trunk release :)
> The exploit is to do with bin/html2text.php
The exploit is that the (widely used) html2text library contains an eval 
bug so any variable passed to it can be used to execute arbitrary PHP 
code.  Roundcube was passing in raw POST data allowing it to be exploited.

The patch Cody supplied is a very dodgy fix for it.  It simply requires 
a valid login before executing the same code so while a stranger can't 
break in, any of your users can execute arbitrary PHP code.

The proper fix is to stop evaluating the passed text.  Roundcube fixed 
this four months ago and any release since then should not be vulnerable.

Proper patch: http://trac.roundcube.net/changeset/2148


More information about the linux mailing list