1 (edited by oquidave 2016-08-04 17:15:10)

Topic: Possible roundcube config files vulnerability

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5
- Linux/BSD distribution name and version: Ubuntu 14.04 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue:
====

Hello, I've discovered that the following files (belonging to roundcube I belive) are accessible from any IP on my iredmail server which poses a security vulnerability.

plugins/password/config.inc.php.dist
plugins/acl/config.inc.php.dist
plugins/help/config.inc.php.dist
plugins/managesieve/config.inc.php.dist
plugins/enigma/config.inc.php.dist
vendor/bin/rcubeinitdb.sh
plugins/acl/config.inc.php.dist

I've looked at the file permissions, and all of them seem to be owned by root.

-rw-r--r-- 1 root root 15162 Apr 17 19:35 config.inc.php.dist
-rw-r--r-- 1 root root 368 Apr 17 19:35 enigma/config.inc.php.dist

My apache is running as user www-data. How then are they able to be viewed by simply entering their path in the browser? How can I fix this? Thanks.

Post's attachments

config-inc-php-dist-file.png
config-inc-php-dist-file.png 103.67 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Possible roundcube config files vulnerability

File "config.inc.php.dist" is just sample config file, it doesn't contain sensitive info like SQL username/password. Also, it's publicly readable in Roundcube github repo:
https://github.com/roundcube/roundcubemail

You should check file 'config.inc.php' instead (without '.dist' suffix).

3

Re: Possible roundcube config files vulnerability

Okay thanks. Although I would want to know how Apache is able to serve files that are restricted to root user only.

ZhangHuangbin wrote:

File "config.inc.php.dist" is just sample config file, it doesn't contain sensitive info like SQL username/password. Also, it's publicly readable in Roundcube github repo:
https://github.com/roundcube/roundcubemail

You should check file 'config.inc.php' instead (without '.dist' suffix).

4

Re: Possible roundcube config files vulnerability

oquidave wrote:

Although I would want to know how Apache is able to serve files that are restricted to root user only.

It's owned by root, but it's readable by Apache daemon user.