After getting reports about a possible vulnerability of Roundcube
which allows an attacker to modify its users preferences in a way that
he/she can then read files from the server, we now published updated
packages as well as patches that fix this security issue.
Please update all your Roundcube installations with the new versions
(0.9-rc2, 0.8.6, 0.7.4) or patch them with the published patches.
Download the latest version from http://roundcube.net/download
Patch for 0.9.x: http://ow.ly/jtQD0
Patch for 0.8.x: http://ow.ly/jtQHM
Patch for 0.7.x: http://ow.ly/jtQK0
Patch for 0.6: http://ow.ly/jtQNd
In order to find out whether one of your users has vulnerable
preferences, you can run the following query on the Roundcube user
database:
SELECT * FROM users WHERE preferences LIKE '%generic_message_footer%'
If this returns any results, you should at least clear the
'preferences' field of that user entry. Or better: entirely block the
user because he or she most likely tried to exploit your system.
And here's some background about the vulnerability:
http://lists.roundcube.net/pipermail/dev/2013-March/022328.html
Best regards,
Thomas
Hello all,
We just published the feature-complete release candidate for the
upcoming version 0.9. After adding some neat new features in 0.9-beta
we now stabilized the code for the final release. Read
http://trac.roundcube.net/wiki/Changelog for details.
Download it from http://roundcube.net/download and update your testing
systems. Use either the installto.sh or update.sh scripts to do the
update as described in the UPGRADING instructions. These will take
advantage of the new database schema upgrade mechanism we just added.
That should make it easier and safer to keep the local database schema
up-to-date with the new versions.
And please report remaining bugs to our bug tracker.
Best regards,
Thomas