Am 27.03.2013 17:04, schrieb Sergey Sidlyarenko:
Hacker first change value in user preference generic_message_footer to any file allowed to read roundcube (config/db.inc.php config/main.inc.php), after send herself message (with included config file). This allow view session crypto key, and db user and password. If at hosting installed phpmyadmin (mysql) or pgmyadmin (pgsql) and session saved in db, hacker get user mail login and password.
else if (!empty($CONFIG['generic_message_footer'])) { $footer = file_get_contents(realpath($CONFIG['generic_message_footer']));
ouch - realpath is completly useless for safety
the only safe way for such things is INSTALL_PATH_CONSTANT . basename($CONFIG['generic_message_footer']) or COMPLETLY avoid let a USER definie which files are used to display and store the text in the database OR use a fixed path fpr default