[RCD] IMAP ID Bug found in Roundcube 1.0.1 in rcube_imap.php

Reindl Harald h.reindl at thelounge.net
Fri Nov 7 13:22:17 CET 2014

Am 07.11.2014 um 13:08 schrieb Cor Bosman:
> Am 07.11.2014 um 12:51 schrieb Cor Bosman:
>>>> On 07 Nov 2014, at 12:44, Reindl Harald <h.reindl at thelounge.net> wrote:
>>> Dovecot doesnt. All dovecot does with that information is log the x-forwarded-ip
>> and than on the server runs "fail2ban" enforcing blocking based on that log - congratulations
> That still doesnt compromise your security, but I see your point.
> A DOS possibility, even a remote possibiity,  is annoying.

if you ever have a security audit on your infrastructure you will see 
that you get a red flag for *any* known DOS possibility and if the audit 
was given in order by a customer that means you have 24 hours to fix 
that issue or shutdown the server - been there or better said we are 
there every week (currently only for webservers but that may change from 
one day to the next)

the point is not only the DOS - but that's one example where i needed 
only to think 5 seconds after "it's just used for logging" - there are 
people out there with a lot of time thinking how they can abuse IT systems

are you 100% sure that it don't use that information or will not do so 
in later releases?

the idea behind "mod_remoteip" is that you can *trust* 
$_SERVER['REMITE_ADDR'] to contain the clients IP behind a proxy and 
hence Allow from / Deny from in Apache is using also that information 
hence it is trustable in a correct setup

> I'll revert my plugin back to $_SERVER, and i'll leave it up to rc devs
> what to do with the rcube_utils function

thank you!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.roundcube.net/pipermail/dev/attachments/20141107/a6c63b16/attachment.sig>

More information about the dev mailing list