Topic: Possible roundcube config files vulnerability
==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5
- Linux/BSD distribution name and version: Ubuntu 14.04 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue:
====
Hello, I've discovered that the following files (belonging to roundcube I belive) are accessible from any IP on my iredmail server which poses a security vulnerability.
plugins/password/config.inc.php.dist
plugins/acl/config.inc.php.dist
plugins/help/config.inc.php.dist
plugins/managesieve/config.inc.php.dist
plugins/enigma/config.inc.php.dist
vendor/bin/rcubeinitdb.sh
plugins/acl/config.inc.php.dist
I've looked at the file permissions, and all of them seem to be owned by root.
-rw-r--r-- 1 root root 15162 Apr 17 19:35 config.inc.php.dist
-rw-r--r-- 1 root root 368 Apr 17 19:35 enigma/config.inc.php.dist
My apache is running as user www-data. How then are they able to be viewed by simply entering their path in the browser? How can I fix this? Thanks.
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.