[RCD] zero day vulnerability (tested on v8.0 to 9.0)

Thomas Bruederli thomas at roundcube.net
Wed Mar 27 18:21:08 CET 2013


On Wed, Mar 27, 2013 at 5:47 PM, Sergey Sidlyarenko
<roundcube at lefoyer.ru> wrote:
> This path
> https://github.com/roundcube/roundcubemail/commit/0fcb2b139bf0c50dec3b82898434f203c21d847f
> not secure because only limit read file by extension php,ini,conf and folder
> /etc. Allowed read /usr/local/etc logs and other file (if hosting not limit
> open_basedir).

This isn't the main patch but only an additional sanity check. I'm
well aware that this check isn't bullet proof but it covers the worst
cases in the local Roundcube directory. And on shared hosting
environments, openbasedir is mostly installed which would then avoid
syste-wide access.

The more important fix is to avoid overwriting arbitrary user prefs.
This is fixed in
https://github.com/roundcube/roundcubemail/commit/648fcf5709

~Thomas


More information about the dev mailing list