Hello,
This is in regards to http://lists.roundcube.net/mail-archive/announce/2008-12/0000000.html
Let me know if this is the wrong venue, I was directed here by a forum moderator.
I have several old versions of roundcube deployed for clients. Recently two of them were compromised using this vulnerability. My fault for not staying up to date, I think I even emailed myself the security update bulletin just never did it.
At any rate, the vulnerability was used to create an adware serving system.
My real question is this, contained in the adware directory are some large text files that I deduce the adware author used to rotate links etc., these files contain links to other compromised roundcube sites.
What would be the best way to go about the process of notifying these admins??
Although this was several months ago, I just spot checked some of the links and they are still compromised.
Thanks,
Andy
List info: http://lists.roundcube.net/dev/