[RCD] Security updates 0.8.6 and 0.7.3 for save-pref vulnerability

Vladislav Bogdanov bubble at hoster-ok.com
Thu Mar 28 09:54:21 CET 2013


28.03.2013 01:02, Thomas Bruederli wrote:
> After getting reports about a possible vulnerability of Roundcube
> which allows an attacker to modify its users preferences in a way that
> he/she can then read files from the server, we now published updated
> packages as well as patches that fix this security issue.
> 
> Please update all your Roundcube installations with the new versions
> (0.9-rc2, 0.8.6, 0.7.4) or patch them with the published patches.
> Download the latest version from http://roundcube.net/download
> 
> Patch for 0.9.x: http://ow.ly/jtQD0
> Patch for 0.8.x: http://ow.ly/jtQHM
> Patch for 0.7.x: http://ow.ly/jtQK0
> Patch for 0.6: http://ow.ly/jtQNd

Are previous versions affected?

Looking at my 0.4 installation, save_prefs is implemented absolutely
differently, there are lists of prefs for each section, and they are
cherry-picked from a what client sends.

> 
> In order to find out whether one of your users has vulnerable
> preferences, you can run the following query on the Roundcube user
> database:
> 
> SELECT * FROM users WHERE preferences LIKE '%generic_message_footer%'
> 
> If this returns any results, you should at least clear the
> 'preferences' field of that user entry. Or better: entirely block the
> user because he or she most likely tried to exploit your system.
> 
> And here's some background about the vulnerability:
> http://lists.roundcube.net/pipermail/dev/2013-March/022328.html
> 
> Best regards,
> Thomas
> _______________________________________________
> Roundcube Development discussion mailing list
> dev at lists.roundcube.net
> http://lists.roundcube.net/mailman/listinfo/dev
> 



More information about the dev mailing list