Roundcube Critical Bug/Exploit [#44916]

Submitted by Diabolico on Fri, 12/16/2016 - 10:39

Roundcube Critical Bug/Exploit reported

OS affected: All Roundcube version: 1.2.2 and lover

Prerequisites for Roundcube exploit:

must be configured to use PHP’s mail() function (instead of SMTP)
PHP’s mail() function is configured to use sendmail
PHP is configured to have safe_mode turned off
attacker must know or guess the absolute path of the webroot

Article describing this exploit: http://www.theregister.co.uk/2016/12/07/roundcube_webmail_flaw/

New Roundcube 1.2.3 has been deployed with a patch for this exploit.

Status:

Active

Comments

Submitted by Diabolico on Fri, 12/16/2016 - 10:39 Comment #1

Body:

View changes

Submitted by JamieCameron on Fri, 12/16/2016 - 10:42 Comment #2

Virtualmin already offers version 1.2.3 of Roundcube.

Submitted by Diabolico on Fri, 12/16/2016 - 10:45 Comment #3

Not using Roundcube but i was thinking its worth to post as precaution.

Submitted by andreychek on Fri, 12/16/2016 - 11:04 Comment #4

Thanks for the heads up!

If we see any users on the older versions we'll encourage them to upgrade.

Submitted by JamieCameron on Fri, 12/16/2016 - 11:57 Comment #5

Aside - I wonder if a VIrtualmin feature to track known-insecure versions of popular scripts and show a warning on the System Information page would be useful?

Submitted by Diabolico on Fri, 12/16/2016 - 14:17 Comment #6

That would be great Jamie. I suspect right now many Vm/Wm users dont even know for this exploit. So if you are not on top of managing your server who knows how many will continue to use Roundcube version what was during the initial installation.

Submitted by JamieCameron on Fri, 12/16/2016 - 19:01 Comment #7

I'll add this to our long-term features idea list.