Topic: Roundcube Vulnerability
==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.95-1
- Linux/BSD distribution name and version: Debian 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====
Greetings, I found this about Roundcube this morning on The Register. I thought that since we've got so many users who depend on Roundcube, that this is probably an important thing to check / update.
http://www.theregister.co.uk/2016/12/07 … mail_flaw/
From the article:
The developers of open source webmail package Roundcube want sysadmins to push in a patch, because a bug in versions prior to 1.2.3 let an attacker crash it remotely – by sending what looks like valid e-mail data.
The authors overlooked sanitising the fifth argument (the _from parameter) in mail() – and that meant someone only needed to compose an e-mail with malicious info in that argument to attack Roundcube.
It works because of how the program flows in a default installation. User input from the Roundcube UI is passed to PHP's mail() function, and mail() calls sendmail.
Because the user input wasn't sanitised until the bug-fix, the fifth argument when calling mail() could be used to execute sendmail with the -X option to log all mail traffic – and that, according to RIPS Technologies in this blog post, could be abused to spawn a malicious PHP file in the target server's Webroot directory.
If it hasn't already been patched, it sounds like this one needs to be. Just a heads-up!
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.