Listas wrote:

Inspecting my logs, I see that cracker tools are developing an increased interest in Roundcube. For example, tests for the /bin/msgimport shell script are common.

I'm not sure if they want the script to attempt abusing it (if server configuration allows that) or to check for the Roundcube version (other tools display the CHANGELOG file, in what is obviously an identification+version probe). In any case, why are those scripts in 'roundcube/bin' instead of being elsewhere, outside of the web-accessible tree?

Carlos

There were some concerns with bin scripts recently. See also http://trac.roundcube.net/ticket/1485269, but devs decided to put the burden of protection onto admin shoulders. -- Dennis _______________________________________________ List info: http://lists.roundcube.net/users/

Arne Berglund wrote:

I haven't seen any probes looking for RC in any of my logs (any server),

At least two script-kiddie PHP vulnerability scanners probe for Roundcube, and that has shown up in several of my servers.

but I am interested in securing the bin directory. What's everyone's feel on the best method to do this?

No, you can't just protect the whole directory. Roundcube uses the *.php stuff in /bin, so you have to disable the shell scripts. Make sure that your server configuration does not allow execution, and remove the executable bit from the *.sh files, or simply delete/move the scripts.

Carlos

List info: http://lists.roundcube.net/users/