[RCD] IMAP ID Bug found in Roundcube 1.0.1 in rcube_imap.php

Reindl Harald h.reindl at thelounge.net
Fri Nov 7 13:38:30 CET 2014

Am 07.11.2014 um 13:30 schrieb Cor Bosman:
>> http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
>> are you 100% sure that it don't use that information or will not do so in later releases?
> That's not the dovecot option that applies here

i know that!

but can you assure that the forwarded IP will not be used in a future 
release (maybe optional) in that context too or in some 3rd party module?

the point is simple: don't forward possible untrusted input if you have 
a trustable source too because you can't know the implications on other 
parts of the mail stack

security is a complex topic

did you know that $_SERVER['PHP_SELF'] is vulnerable for XSS until you 
set "AcceptPathInfo Off" in your Apache config which maybe breaks other 
applications? i did not until a security audit showed a red flag!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.roundcube.net/pipermail/dev/attachments/20141107/caafaadc/attachment.sig>

More information about the dev mailing list