Kris Steinhoff wrote:
The scripts in the bin directory may be slightly more vulnerable to denial of service attacks. But I'm more worried about the potential for bugs in those scripts (or stuff they call) that could be a vector for more serious attacks.
Usage of those scripts should be limited to users know to RoundCube.
If the added weight of creating the $RCMAIL instance is a concern, then perhaps we could use a different (lighter) approach to verifying that the user running the script is a valid RoundCube user.
-kris
I strongly agree with Kris that it is preferable to spend a few more CPU cycles if it reduces the exposure of our systems to attack. Since we've recently found two of the three web scripts in that directory to be vulnerable, I find the trade-off to be very compelling.
I've created a ticket with a patch for this.
http://trac.roundcube.net/ticket/1485645
-Jim
List info: http://lists.roundcube.net/dev/