After getting reports about a possible vulnerability of Roundcube which allows an attacker to modify its users preferences in a way that he/she can then read files from the server, we now published updated packages as well as patches that fix this security issue.
Please update all your Roundcube installations with the new versions (0.9-rc2, 0.8.6, 0.7.4) or patch them with the published patches. Download the latest version from http://roundcube.net/download
Patch for 0.9.x: http://ow.ly/jtQD0 Patch for 0.8.x: http://ow.ly/jtQHM Patch for 0.7.x: http://ow.ly/jtQK0 Patch for 0.6: http://ow.ly/jtQNd
In order to find out whether one of your users has vulnerable preferences, you can run the following query on the Roundcube user database:
SELECT * FROM users WHERE preferences LIKE '%generic_message_footer%'
If this returns any results, you should at least clear the 'preferences' field of that user entry. Or better: entirely block the user because he or she most likely tried to exploit your system.
And here's some background about the vulnerability: http://lists.roundcube.net/pipermail/dev/2013-March/022328.html
Best regards, Thomas
On 03/27/2013 06:02 PM, Thomas Bruederli wrote:
After getting reports about a possible vulnerability of Roundcube which allows an attacker to modify its users preferences in a way that he/she can then read files from the server, we now published updated packages as well as patches that fix this security issue.
Please update all your Roundcube installations with the new versions (0.9-rc2, 0.8.6, 0.7.4) or patch them with the published patches.
Thanks for this work. I don't yet see the tags for these releases in the git repo at https://github.com/roundcube/roundcubemail
maybe someone needs to "git push --tags" ?
If it would be possible to sign the tags when creating them, that would be very much appreciated :)
Thanks for roundcube!
--dkg
On 2013-03-27 16:09, Daniel Kahn Gillmor wrote:
On 03/27/2013 06:02 PM, Thomas Bruederli wrote:
After getting reports about a possible vulnerability of Roundcube which allows an attacker to modify its users preferences in a way that he/she can then read files from the server, we now published updated packages as well as patches that fix this security issue.
Please update all your Roundcube installations with the new versions (0.9-rc2, 0.8.6, 0.7.4) or patch them with the published patches.
Thanks for this work. I don't yet see the tags for these releases in the git repo at https://github.com/roundcube/roundcubemail
maybe someone needs to "git push --tags" ?
If it would be possible to sign the tags when creating them, that would be very much appreciated :)
It's probably a mute point, but I see the tags, they're just not prefixed by 'v' like the rest.
Thanks for roundcube!
I second that!
~David
On 03/27/2013 10:38 PM, David Mohr wrote:
On 2013-03-27 16:09, Daniel Kahn Gillmor wrote:
On 03/27/2013 06:02 PM, Thomas Bruederli wrote:
[...]
Please update all your Roundcube installations with the new versions (0.9-rc2, 0.8.6, 0.7.4) or patch them with the published patches.
Thanks for this work. I don't yet see the tags for these releases in the git repo at https://github.com/roundcube/roundcubemail
[...]
It's probably a mute point, but I see the tags, they're just not prefixed by 'v' like the rest.
Well, they weren't there when i wrote my earlier e-mail, and they're there now. Looks like they were made by (and probably pushed by) Thomas. Thanks for taking care of this, Thomas!
--dkg
28.03.2013 01:02, Thomas Bruederli wrote:
After getting reports about a possible vulnerability of Roundcube which allows an attacker to modify its users preferences in a way that he/she can then read files from the server, we now published updated packages as well as patches that fix this security issue.
Please update all your Roundcube installations with the new versions (0.9-rc2, 0.8.6, 0.7.4) or patch them with the published patches. Download the latest version from http://roundcube.net/download
Patch for 0.9.x: http://ow.ly/jtQD0 Patch for 0.8.x: http://ow.ly/jtQHM Patch for 0.7.x: http://ow.ly/jtQK0 Patch for 0.6: http://ow.ly/jtQNd
Are previous versions affected?
Looking at my 0.4 installation, save_prefs is implemented absolutely differently, there are lists of prefs for each section, and they are cherry-picked from a what client sends.
In order to find out whether one of your users has vulnerable preferences, you can run the following query on the Roundcube user database:
SELECT * FROM users WHERE preferences LIKE '%generic_message_footer%'
If this returns any results, you should at least clear the 'preferences' field of that user entry. Or better: entirely block the user because he or she most likely tried to exploit your system.
And here's some background about the vulnerability: http://lists.roundcube.net/pipermail/dev/2013-March/022328.html
Best regards, Thomas _______________________________________________ Roundcube Development discussion mailing list dev@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/dev
On 03/28/2013 09:54 AM, Vladislav Bogdanov wrote:
Patch for 0.6: http://ow.ly/jtQNd
Are previous versions affected?
Looking at my 0.4 installation, save_prefs is implemented absolutely differently, there are lists of prefs for each section, and they are cherry-picked from a what client sends.
0.4 is vulnerable too, you're looking in a wrong place. The issue is in steps/utils/save_pref.inc. We don't support such very old releases.
On Thu, Mar 28, 2013 at 10:13 AM, A.L.E.C alec@alec.pl wrote:
On 03/28/2013 09:54 AM, Vladislav Bogdanov wrote:
Patch for 0.6: http://ow.ly/jtQNd
Are previous versions affected?
Looking at my 0.4 installation, save_prefs is implemented absolutely differently, there are lists of prefs for each section, and they are cherry-picked from a what client sends.
0.4 is vulnerable too, you're looking in a wrong place. The issue is in steps/utils/save_pref.inc. We don't support such very old releases.
True, but nevertheless, the 0.6 patches should work for older versions, too.
~Thomas
28.03.2013 12:13, A.L.E.C wrote:
On 03/28/2013 09:54 AM, Vladislav Bogdanov wrote:
Patch for 0.6: http://ow.ly/jtQNd
Are previous versions affected?
Looking at my 0.4 installation, save_prefs is implemented absolutely differently, there are lists of prefs for each section, and they are cherry-picked from a what client sends.
It is r3787 (Mon, 28 Jun 2010) https://github.com/roundcube/roundcubemail/tree/bdb13a51f735623146f1ac81d932... with local patches to be precise.
0.4 is vulnerable too, you're looking in a wrong place. The issue is in steps/utils/save_pref.inc.
program/steps/settings/save_prefs.inc in my tree.
This one - https://github.com/roundcube/roundcubemail/blob/bdb13a51f735623146f1ac81d932...
This revision uses static lists of per-section prefs. I can't believe it is vulnerable.
We don't support such very old releases.
I understand. You go toooo fast for me to follow ;) Keep going!
It would be nice if you dig exact commit which introduced this.
On 03/29/2013 07:48 AM, Vladislav Bogdanov wrote:
0.4 is vulnerable too, you're looking in a wrong place. The issue is in steps/utils/save_pref.inc.
program/steps/settings/save_prefs.inc in my tree.
This one - https://github.com/roundcube/roundcubemail/blob/bdb13a51f735623146f1ac81d932...
Ok, your version doesn't have utils/save_pref.inc and is not vulnerable, but 0.4.1 (I've checked for example) is.
29.03.2013 09:59, A.L.E.C wrote:
On 03/29/2013 07:48 AM, Vladislav Bogdanov wrote:
0.4 is vulnerable too, you're looking in a wrong place. The issue is in steps/utils/save_pref.inc.
program/steps/settings/save_prefs.inc in my tree.
This one - https://github.com/roundcube/roundcubemail/blob/bdb13a51f735623146f1ac81d932...
Ok, your version doesn't have utils/save_pref.inc and is not vulnerable, but 0.4.1 (I've checked for example) is.
Thanks. That means that versions before 0.4.1 are not affected.
On 03/29/2013 08:21 AM, Vladislav Bogdanov wrote:
Thanks. That means that versions before 0.4.1 are not affected.
No, that's not what I've said. Most likely 0.4.0 is also vulnerable. Commit you provided is just some git checkout before stable release.
29.03.2013 10:41, A.L.E.C wrote:
On 03/29/2013 08:21 AM, Vladislav Bogdanov wrote:
Thanks. That means that versions before 0.4.1 are not affected.
No, that's not what I've said. Most likely 0.4.0 is also vulnerable. Commit you provided is just some git checkout before stable release.
Hm. https://github.com/roundcube/roundcubemail/blob/v0.4.1/program/steps/utils/s... was created by https://github.com/roundcube/roundcubemail/commit/614c642a4ba8b050ecb26d25d3... at Sep 17, 2010.
0.4.1 was released 2010-09-29 (according to downloads) or Oct 06, 2010 (according to git tag), so it includes that commit. 0.4 - was released 2010-08-07, so it doesn't have it.
So I seem to be correct.
On 03/29/2013 08:58 AM, Vladislav Bogdanov wrote:
0.4.1 was released 2010-09-29 (according to downloads) or Oct 06, 2010 (according to git tag), so it includes that commit. 0.4 - was released 2010-08-07, so it doesn't have it.
So I seem to be correct.
You're right. These days we are more strict about adding new features after stable release.
-
A.L.E.C -
Daniel Kahn Gillmor -
David Mohr -
Thomas Bruederli -
Vladislav Bogdanov