Last Updated: 2008-12-26 17:31:35 UTC
by Marcus Sachs (Version: 1)
Reader Nathan sent us an update on a vulnerability in Roundcube's
html2text.php. He said that the exploit is being seen in the wild and that it works. Roundcube is a PHP powered webmail solution which many prefer over Squirrelmail.
Nathan said that it was fixed on 12/12/2008, http://trac.roundcube.net/changeset/2148 and an official release was on 12/16/2008, http://sourceforge.net/forum/forum.php?forum_id=898542. He also suggested that readers consider Suhosin, mod_chroot, and the below PHP.ini settings:
allow_url_include = Off
allow_url_fopen = Off
session.use_only_cookies = 1
session.cookie_httponly = 1
expose_php = Off
display_errors = Off
register_globals = Off
disable_functions = phpinfo
Thanks for the information and the links Nathan!
Marcus H. Sachs
Director, SANS Internet Storm Center