Roundcube Critical Bug/Exploit

Roundcube Critical Bug/Exploit reported

OS affected: All Roundcube version: 1.2.2 and lover

Prerequisites for Roundcube exploit:

  • must be configured to use PHP’s mail() function (instead of SMTP)

  • PHP’s mail() function is configured to use sendmail

  • PHP is configured to have safe_mode turned off

  • attacker must know or guess the absolute path of the webroot

Article describing this exploit: http://www.theregister.co.uk/2016/12/07/roundcube_webmail_flaw/

New Roundcube 1.2.3 has been deployed with a patch for this exploit.

Status: 
Active

Comments

Virtualmin already offers version 1.2.3 of Roundcube.

Diabolico's picture
Submitted by Diabolico on Fri, 12/16/2016 - 10:45

Not using Roundcube but i was thinking its worth to post as precaution.

Thanks for the heads up!

If we see any users on the older versions we'll encourage them to upgrade.

Aside - I wonder if a VIrtualmin feature to track known-insecure versions of popular scripts and show a warning on the System Information page would be useful?

Diabolico's picture
Submitted by Diabolico on Fri, 12/16/2016 - 14:17

That would be great Jamie. I suspect right now many Vm/Wm users dont even know for this exploit. So if you are not on top of managing your server who knows how many will continue to use Roundcube version what was during the initial installation.

I'll add this to our long-term features idea list.