Roundcube Critical Bug/Exploit reported
OS affected: All Roundcube version: 1.2.2 and lover
Prerequisites for Roundcube exploit:
must be configured to use PHP’s mail() function (instead of SMTP)
PHP’s mail() function is configured to use sendmail
PHP is configured to have safe_mode turned off
attacker must know or guess the absolute path of the webroot
Article describing this exploit: http://www.theregister.co.uk/2016/12/07/roundcube_webmail_flaw/
New Roundcube 1.2.3 has been deployed with a patch for this exploit.
Status:
Active
Comments
Submitted by JamieCameron on Fri, 12/16/2016 - 10:42 Comment #2
Virtualmin already offers version 1.2.3 of Roundcube.
Not using Roundcube but i was thinking its worth to post as precaution.
Submitted by andreychek on Fri, 12/16/2016 - 11:04 Comment #4
Thanks for the heads up!
If we see any users on the older versions we'll encourage them to upgrade.
Submitted by JamieCameron on Fri, 12/16/2016 - 11:57 Comment #5
Aside - I wonder if a VIrtualmin feature to track known-insecure versions of popular scripts and show a warning on the System Information page would be useful?
That would be great Jamie. I suspect right now many Vm/Wm users dont even know for this exploit. So if you are not on top of managing your server who knows how many will continue to use Roundcube version what was during the initial installation.
Submitted by JamieCameron on Fri, 12/16/2016 - 19:01 Comment #7
I'll add this to our long-term features idea list.