Roundcube Webmail Issues - SANS Internet Storm Center

SANS ISC InfoSec Forums

Roundcube Webmail Issues
Reader Nathan sent us an update on a vulnerability in Roundcube's html2text.php. He said that the exploit is being seen in the wild and that it works. Roundcube is a PHP powered webmail solution which many prefer over Squirrelmail. http://trac.roundcube.net/ticket/1485618 http://www.securiteam.com/unixfocus/6L00O15NFS.html Nathan said that it was fixed on 12/12/2008, http://trac.roundcube.net/changeset/2148 and an official release was on 12/16/2008, http://sourceforge.net/forum/forum.php?forum_id=898542. He also suggested that readers consider Suhosin, mod_chroot, and the below PHP.ini settings: allow_url_include = Off allow_url_fopen = Off session.use_only_cookies = 1 session.cookie_httponly = 1 expose_php = Off display_errors = Off register_globals = Off disable_functions = phpinfo Thanks for the information and the links Nathan! Marcus H. Sachs Director, SANS Internet Storm Center	Marcus 301 Posts ISC Handler
Subscribe	Dec 26th 2008 1 decade ago