Roundcube Webmail Issues

SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Roundcube Webmail Issues
Reader Nathan sent us an update on a vulnerability in Roundcube's html2text.php. He said that the exploit is being seen in the wild and that it works. Roundcube is a PHP powered webmail solution which many prefer over Squirrelmail. http://trac.roundcube.net/ticket/1485618 http://www.securiteam.com/unixfocus/6L00O15NFS.html Nathan said that it was fixed on 12/12/2008, http://trac.roundcube.net/changeset/2148 and an official release was on 12/16/2008, http://sourceforge.net/forum/forum.php?forum_id=898542. He also suggested that readers consider Suhosin, mod_chroot, and the below PHP.ini settings: allow_url_include = Off allow_url_fopen = Off session.use_only_cookies = 1 session.cookie_httponly = 1 expose_php = Off display_errors = Off register_globals = Off disable_functions = phpinfo Thanks for the information and the links Nathan! Marcus H. Sachs Director, SANS Internet Storm Center	Marcus 301 Posts ISC Handler Dec 26th 2008
Thread locked Subscribe	Dec 26th 2008 1 decade ago