[clug] Security: RoundCube Webmail Exploit
Edward Lang
edlang at edlang.org
Sat Apr 25 03:42:57 GMT 2009
Hi,
On Sat, Apr 25, 2009 at 1:21 PM, David Tulloh <david at tulloh.id.au> wrote:
> The exploit is that the (widely used) html2text library contains an eval bug
> so any variable passed to it can be used to execute arbitrary PHP code.
> Roundcube was passing in raw POST data allowing it to be exploited.
>
> The patch Cody supplied is a very dodgy fix for it. It simply requires a
> valid login before executing the same code so while a stranger can't break
> in, any of your users can execute arbitrary PHP code.
>
> The proper fix is to stop evaluating the passed text. Roundcube fixed this
> four months ago and any release since then should not be vulnerable.
I got done for this vulnerability a few months ago. I'd installed
Roundcube on a hosted server and promptly forgot about it, nor did I
follow a regular patching cycle on that server. I only became aware of
the problem after I started receiving automated emails from IDSs at
other ISPs saying that my server was scanning their networks... it
took a bit of poking around to figure out that a rootkit / password
cracker / SSH scanner had been installed via Roundcube. Not so much
fun.
I use mon[1] on that server to monitor some key processes. Does anyone
know how to configure mon to monitor CPU load or an abnormal number of
running processes owned by root / www-data and the like? There's
nothing obvious to that effect on the mon wiki. Hopefully it doesn't
involve an SNMP wormhole...
Regards,
Edward.
[1] http://mon.wiki.kernel.org/index.php/Main_Page
--
Edward C. Lang
http://edlang.org/
More information about the linux
mailing list