RoundCube vulnerability allows injection of arbitrary scripting code
RoundCube, the PHP based web mail client, was found to be vulnerable and just before christmas an exploit was published on the Milw0rm pages that allowed attackers to inject arbitrary code into the RoundCube application. Secunia has marked this bug as highly critical. RoundCube is free software written in PHP, designed to act as a web gateway for user mailboxes using the IMAP protocol, with support for MIME, an address book, searching and spell checking.
In versions 0.2-1.alpha and 0.2-3.beta, a file called html2text.php
makes use of preg_replace()
. Unfortunately, insufficient filtering of input data makes it possible for an intruder to force the function to execute arbitrary instructions. The flaw makes it possible to take over control of the software, if the client sends crafted HTML data containing harmful strings. This bug can be used for example, to steal confidential data of other users of the webmail service, or to pursue Local File Inclusion (LFI) and Remote File Inclusion (RFI) attacks.
RoundCube have released a patch for the problem and have followed it by releasing RoundCube 0.2 stable – incorporating the patch and approximately 80 other bug fixes. Administrators are encouraged to upgrade as soon as possible. Updates to Linux distributions are already appearing.
See also
- CVE-2008-5619, CVE entry
- Fedora update for roundcubemail, advisory of Secunia
- Exploit for Roundcube Webmail, exploit in Milw0rm archives
- Security update for 0.2-beta, vendor's announcement about the patch
- Version 0.2-stable released, vendor's announcement of new stable version
(djwm)