1

Topic: URGENT: security fix required for Nginx configured by iRedMail

Dear all,

We discovered 2 security issues with Nginx settings configured by iRedMail, please follow our tutorial below to fix them.

About the issue

Default Nginx settings configured by iRedMail doesn’t block access to per-user GPG keys generated with Roundcube (plugin `enigma` must be enabled, and it's enabled by default with default iRedMail settings) and all dot files.

For more details, please check link below:
http://legacysecuritygroup.com/cve/refe … enigma.txt

All credit goes to bitbucket user @exploitagency, thanks for the report in our issue tracker:
https://bitbucket.org/zhb/iredmail/issu … th-default


Affected Linux/BSD distributions

It affects ALL Linux/BSD distributions supported by iRedMail with Nginx running.



Affected iRedMail releases

- It affects iRedMail-0.9.0 and later releases.
- It affects iRedMail load-balance cluster.



How to fix it

Please open file /etc/nginx/templates/roundcube.tmpl (Linux/OpenBSD) or /usr/local/etc/nginx/templates/roundcube.tmpl (FreeBSD), add lines below ABOVE any existing lines:

# Block access to default directories and files under these directories
location ~ /mail/(bin|config|installer|logs|SQL|temp|vendor)($|/.*) { deny all; }

# Block access to default files under top-directory and files start with same name.
location ~ /mail/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }

# Block plugin config files and sample config files.
location ~ /mail/plugins/.*/config.inc.php.* { deny all; }

# Block access to plugin data
location ~ /mail/plugins/enigma/home($|/.*) { deny all; }

Please open file /etc/nginx/templates/roundcube-subdomain.tmpl (Linux/OpenBSD) or /usr/local/etc/nginx/templates/roundcube-subdomain.tmpl (FreeBSD), add lines below ABOVE any existing lines:

# Block access to default directories and files under these directories
location ~ /(bin|config|installer|logs|SQL|temp|vendor)($|/.*) { deny all; }

# Block access to default files under top-directory and files start with same name.
location ~ /(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }

# Block plugin config files and sample config files.
location ~ /plugins/.*/config.inc.php.* { deny all; }

# Block access to plugin data
location ~ /plugins/enigma/home($|/.*) { deny all; }

Open file /etc/nginx/sites-available/00-default.conf AND 00-default-ssl.conf, make sure template file `misc.tmpl` is loaded before other template files. For example, existing config file may look like this:

server {
    ...
    include ...;
    include ...;
    include /etc/nginx/templates/misc.tmpl;
}

Please move the 'misc.tmpl' line above any other `include` directive. Final setting should look like this:
```

server {
    ...
    include /etc/nginx/templates/misc.tmpl;
    include ...;
    include ...;
}

Note: Nginx in iRedMail-0.9.7 loads modular config files from /etc/nginx/sites-conf/default/ and /etc/nginx/sites-conf/default-ssl/ instead of store all directives for default web hosts in one file, in this case you need to:

*) rename file /etc/nginx/sites-conf/default/99-include-tmpl-misc.conf to /etc/nginx/sites-conf/default/1-include-tmpl-misc.conf
*) rename file /etc/nginx/sites-conf/default-ssl/99-include-tmpl-misc.conf to /etc/nginx/sites-conf/default-ssl/1-include-tmpl-misc.conf

Restarting Nginx service is required.

2

Re: URGENT: security fix required for Nginx configured by iRedMail

I cannot restart the nginx service because of this error:

nginx: [emerg] duplicate location "/favicon.ico" in /etc/nginx/templates/misc.tmpl:14
nginx: configuration file /etc/nginx/nginx.conf test failed

I think this is because misc.tmpl its being included twice.

3

Re: URGENT: security fix required for Nginx configured by iRedMail

Please make sure "misc.tmpl" is loaded only once.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

4

Re: URGENT: security fix required for Nginx configured by iRedMail

Soo, this means for iRedMail Release 0.9.7, because misc.tmpl its being included twice. just ignore this Step:
in /etc/nginx/sites-available/00-default.conf AND 00-default-ssl.conf

server {
    ...
    include /etc/nginx/templates/misc.tmpl;
    include ...;
    include ...;
}

?? or did i misunderstood, i don't really know how nginx works. So not sure exactly where misc.tmpl is loaded twice. Thx for the feedback.

5

Re: URGENT: security fix required for Nginx configured by iRedMail

fadi_asbih wrote:

Soo, this means for iRedMail Release 0.9.7, because misc.tmpl its being included twice. just ignore this Step:
in /etc/nginx/sites-available/00-default.conf AND 00-default-ssl.conf

Yes.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee