[RCD] IMAP ID Bug found in Roundcube 1.0.1 in rcube_imap.php

Cor Bosman cor at xs4all.nl
Fri Nov 7 13:08:04 CET 2014


Am 07.11.2014 um 12:51 schrieb Cor Bosman:
>>> On 07 Nov 2014, at 12:44, Reindl Harald <h.reindl at thelounge.net> wrote:
>>>> I dont know what roundcube itself does with that info, but I dont think it does anything 'dangerous' with it
>>> 
>>> *but* dovecot may do depending on the configuration because forwarding that information has the simple reason that otherwise you can't enforce ip based access lists for webmail users
>>> 
>>> finally that means: don't forward untrustable informations to dovecot
>>> 
>>> doing so breaks until that happens sane and secure configurations and secure in that context means nobody but the server admin knows the big picture of proxies, NAT and access lists and hence is responsible to deal with that - that's why mod_remoteip exists
>> 
>> Dovecot doesnt. All dovecot does with that information is log the x-forwarded-ip
> 
> and than on the server runs "fail2ban" enforcing blocking based on that log - congratulations

That still doesnt compromise your security, but I see your point. A DOS possibility, even a remote possibiity,  is annoying. 

I'll revert my plugin back to $_SERVER, and i'll leave it up to rc devs what to do with the rcube_utils function,

Cor



More information about the dev mailing list