28.03.2013 01:02, Thomas Bruederli wrote:
After getting reports about a possible vulnerability of Roundcube which allows an attacker to modify its users preferences in a way that he/she can then read files from the server, we now published updated packages as well as patches that fix this security issue.
Please update all your Roundcube installations with the new versions (0.9-rc2, 0.8.6, 0.7.4) or patch them with the published patches. Download the latest version from http://roundcube.net/download
Patch for 0.9.x: http://ow.ly/jtQD0 Patch for 0.8.x: http://ow.ly/jtQHM Patch for 0.7.x: http://ow.ly/jtQK0 Patch for 0.6: http://ow.ly/jtQNd
Are previous versions affected?
Looking at my 0.4 installation, save_prefs is implemented absolutely differently, there are lists of prefs for each section, and they are cherry-picked from a what client sends.
In order to find out whether one of your users has vulnerable preferences, you can run the following query on the Roundcube user database:
SELECT * FROM users WHERE preferences LIKE '%generic_message_footer%'
If this returns any results, you should at least clear the 'preferences' field of that user entry. Or better: entirely block the user because he or she most likely tried to exploit your system.
And here's some background about the vulnerability: http://lists.roundcube.net/pipermail/dev/2013-March/022328.html
Best regards, Thomas _______________________________________________ Roundcube Development discussion mailing list dev@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/dev