[clug] Security: RoundCube Webmail Exploit

Edward Lang edlang at edlang.org
Sat Apr 25 03:42:57 GMT 2009


On Sat, Apr 25, 2009 at 1:21 PM, David Tulloh <david at tulloh.id.au> wrote:
> The exploit is that the (widely used) html2text library contains an eval bug
> so any variable passed to it can be used to execute arbitrary PHP code.
>  Roundcube was passing in raw POST data allowing it to be exploited.
> The patch Cody supplied is a very dodgy fix for it.  It simply requires a
> valid login before executing the same code so while a stranger can't break
> in, any of your users can execute arbitrary PHP code.
> The proper fix is to stop evaluating the passed text.  Roundcube fixed this
> four months ago and any release since then should not be vulnerable.

I got done for this vulnerability a few months ago. I'd installed
Roundcube on a hosted server and promptly forgot about it, nor did I
follow a regular patching cycle on that server. I only became aware of
the problem after I started receiving automated emails from IDSs at
other ISPs saying that my server was scanning their networks... it
took a bit of poking around to figure out that a rootkit / password
cracker / SSH scanner had been installed via Roundcube. Not so much

I use mon[1] on that server to monitor some key processes. Does anyone
know how to configure mon to monitor CPU load or an abnormal number of
running processes owned by root / www-data and the like? There's
nothing obvious to that effect on the mon wiki. Hopefully it doesn't
involve an SNMP wormhole...



[1] http://mon.wiki.kernel.org/index.php/Main_Page

Edward C. Lang


More information about the linux mailing list