In association with heise online

31 December 2008, 11:05

RoundCube vulnerability allows injection of arbitrary scripting code

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

RoundCube, the PHP based web mail client, was found to be vulnerable and just before christmas an exploit was published on the Milw0rm pages that allowed attackers to inject arbitrary code into the RoundCube application. Secunia has marked this bug as highly critical. RoundCube is free software written in PHP, designed to act as a web gateway for user mailboxes using the IMAP protocol, with support for MIME, an address book, searching and spell checking.

In versions 0.2-1.alpha and 0.2-3.beta, a file called html2text.php makes use of preg_replace(). Unfortunately, insufficient filtering of input data makes it possible for an intruder to force the function to execute arbitrary instructions. The flaw makes it possible to take over control of the software, if the client sends crafted HTML data containing harmful strings. This bug can be used for example, to steal confidential data of other users of the webmail service, or to pursue Local File Inclusion (LFI) and Remote File Inclusion (RFI) attacks.

RoundCube have released a patch for the problem and have followed it by releasing RoundCube 0.2 stable – incorporating the patch and approximately 80 other bug fixes. Administrators are encouraged to upgrade as soon as possible. Updates to Linux distributions are already appearing.

See also


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit