[RCD] Security updates 0.8.6 and 0.7.3 for save-pref vulnerability

Vladislav Bogdanov bubble at hoster-ok.com
Fri Mar 29 07:48:11 CET 2013


28.03.2013 12:13, A.L.E.C wrote:
> On 03/28/2013 09:54 AM, Vladislav Bogdanov wrote:
> 
>>> Patch for 0.6: http://ow.ly/jtQNd
>>
>> Are previous versions affected?
>>
>> Looking at my 0.4 installation, save_prefs is implemented absolutely
>> differently, there are lists of prefs for each section, and they are
>> cherry-picked from a what client sends.

It is r3787 (Mon, 28 Jun 2010)
https://github.com/roundcube/roundcubemail/tree/bdb13a51f735623146f1ac81d9323e5182f99511
with local patches to be precise.

> 
> 0.4 is vulnerable too, you're looking in a wrong place. The issue is in
> steps/utils/save_pref.inc.

program/steps/settings/save_prefs.inc in my tree.

This one -
https://github.com/roundcube/roundcubemail/blob/bdb13a51f735623146f1ac81d9323e5182f99511/program/steps/settings/save_prefs.inc

This revision uses static lists of per-section prefs. I can't believe it
is vulnerable.

> We don't support such very old releases.

I understand. You go toooo fast for me to follow ;) Keep going!

It would be nice if you dig exact commit which introduced this.



More information about the dev mailing list