Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Roundcube Webmail Issues - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Roundcube Webmail Issues

Reader Nathan sent us an update on a vulnerability in Roundcube's html2text.php.  He said that the exploit is being seen in the wild and that it works.  Roundcube is a PHP powered webmail solution which many prefer over Squirrelmail. 

http://trac.roundcube.net/ticket/1485618
http://www.securiteam.com/unixfocus/6L00O15NFS.html

Nathan said that it was fixed on 12/12/2008, http://trac.roundcube.net/changeset/2148 and an official release was on 12/16/2008, http://sourceforge.net/forum/forum.php?forum_id=898542.  He also suggested that readers consider Suhosin, mod_chroot, and the below PHP.ini settings:

allow_url_include = Off
allow_url_fopen = Off
session.use_only_cookies = 1
session.cookie_httponly = 1
expose_php = Off
display_errors = Off
register_globals = Off
disable_functions = phpinfo

Thanks for the information and the links Nathan!

Marcus H. Sachs
Director, SANS Internet Storm Center

Marcus

301 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!