[RCD] IMAP ID Bug found in Roundcube 1.0.1 in rcube_imap.php

Cor Bosman cor at xs4all.nl
Fri Nov 7 12:51:25 CET 2014


> On 07 Nov 2014, at 12:44, Reindl Harald <h.reindl at thelounge.net> wrote:
> 
> 
> Am 07.11.2014 um 12:30 schrieb Cor Bosman:
>>> On 07 Nov 2014, at 12:24, Reindl Harald <h.reindl at thelounge.net> wrote:
>>> 
>>> Am 07.11.2014 um 12:17 schrieb Cor Bosman:
>>>> I changed my plugin to use the rcube_utils function,
>>>> https://github.com/corbosman/ident
>>>> 
>>>> Reindl has a point though, but that should be changed in that function then
>>> 
>>> it can't
>>> 
>>> the point of "mod_remoteip" is that you never face the phyiscal IP anywhere in the application, not in the logs and not in apache modules like mod_security if they are implemented correctly
>>> 
>>> if you read the mod_remoteip docs careful you see that this header can list more than one address (two proxys between the user and your own proxy which adds his physical client ID) and hence it is important which is your own trusted one nad god beware you try to handle that inside the application and making mistakes if the result is used for authentication and permissions
>>> 
>>> that's why you *never* should deal with that inside a webapp and keep the resposibility by the webserver admin
>> 
>> This plugin's sole purpose is to hint to dovecot what the actual user's ip address was that connected to roundcube, instead of roundcube's own ip address. That hint could then serve you for further investigation.
>> 
>> I dont know what roundcube itself does with that info, but I dont think it does anything 'dangerous' with it
> 
> *but* dovecot may do depending on the configuration because forwarding that information has the simple reason that otherwise you can't enforce ip based access lists for webmail users
> 
> finally that means: don't forward untrustable informations to dovecot
> 
> doing so breaks until that happens sane and secure configurations and secure in that context means nobody but the server admin knows the big picture of proxies, NAT and access lists and hence is responsible to deal with that - that's why mod_remoteip exists

Dovecot doesnt. All dovecot does with that information is log the x-forwarded-ip if, and only if, your roundcube server is listed as a host that is allowed to provide that info.  

I really fail to see the security implications as long as one realises this info is meant as a hint, not absolute fact.  It's still slightly more useful than having the roundcube ip listed in your imap logfile. But YMMV. 

Cor



More information about the dev mailing list