Dear Roundcube users and lovers,
We're happy to announce another release of the Roundcube webmail suite. This service update brings some more bug fixes and stability improvements and it includes an updated version of the TinyMCE editor which is now supposed to work correctly in IE9.
It is considered stable and we recommend to update all existing Roundcube installation with this release. For a complete list of changes see http://trac.roundcube.net/wiki/Changelog. Packages can be downloaded from the usual place: http://roundcube.net/download
Have fun and happy easter, Thomas
On 04/22/2011 08:02 PM, Thomas Bruederli wrote:
Dear Roundcube users and lovers,
We're happy to announce another release of the Roundcube webmail suite. This service update brings some more bug fixes and stability improvements and it includes an updated version of the TinyMCE editor which is now supposed to work correctly in IE9.
It is considered stable and we recommend to update all existing Roundcube installation with this release. For a complete list of changes see http://trac.roundcube.net/wiki/Changelog. Packages can be downloaded from the usual place: http://roundcube.net/download
Have fun and happy easter, Thomas
Hi all,
I just upgraded to 0.5.2. Easy to do. However, I noticed that the
address book entries have disappeared.
The entries are still in the dB, yet RC does not display these.
Example:
| *5* |
| 36 | 2011-04-01 16:32:09 | 1 |
lyn.jim@aaa.co.uk
| fred.fred@aaaa.co.uk | | | BEGIN:VCARD
VERSION:3.0
FN:lyn.jim@aaa.co.uk
N:;;;;
EMAIL;type=INTERNET;type=HOME;type=pref:fred.fred@aaa.co.uk
END:VCARD
Perhaps the userids are not matching up?
| user_id | int(10) unsigned | NO | MUL | 0
| |
I ought to mend this before the users notice... Hmm.
Regards, S
On 04/27/2011 12:34 PM, J4K wrote:
On 04/22/2011 08:02 PM, Thomas Bruederli wrote:
Dear Roundcube users and lovers,
We're happy to announce another release of the Roundcube webmail suite. This service update brings some more bug fixes and stability improvements and it includes an updated version of the TinyMCE editor which is now supposed to work correctly in IE9.
It is considered stable and we recommend to update all existing Roundcube installation with this release. For a complete list of changes see http://trac.roundcube.net/wiki/Changelog. Packages can be downloaded from the usual place: http://roundcube.net/download
Have fun and happy easter, Thomas
Hi all,
I just upgraded to 0.5.2. Easy to do. However, I noticed that
the address book entries have disappeared.
The entries are still in the dB, yet RC does not display these.
Example: | *5* | | 36 | 2011-04-01 16:32:09 | 1 | lyn.jim@aaa.co.uk
| fred.fred@aaaa.co.uk | | | BEGIN:VCARD VERSION:3.0 FN:lyn.jim@aaa.co.uk N:;;;; EMAIL;type=INTERNET;type=HOME;type=pref:fred.fred@aaa.co.uk END:VCARDPerhaps the userids are not matching up?
| user_id | int(10) unsigned | NO | MUL | 0
| |I ought to mend this before the users notice... Hmm.
Regards, S
By the way, just checked the apache error logs and noticed these:
[Wed Apr 27 12:24:31 2011] [crit] [client 11.11.11.11] (13)Permission denied: /www/roundcube/admin/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable, referer: https://webmail.xxx.xxx.co.uk/?_task=logout
There is no /www/roundcube/admin/.htaccess configured. Why is it trying to access this? Perhaps there I can disable this somewhere as I don't use htaccess files.
On 04/27/2011 12:42 PM, J4K wrote:
On 04/27/2011 12:34 PM, J4K wrote:
On 04/22/2011 08:02 PM, Thomas Bruederli wrote:
Dear Roundcube users and lovers,
We're happy to announce another release of the Roundcube webmail suite. This service update brings some more bug fixes and stability improvements and it includes an updated version of the TinyMCE editor which is now supposed to work correctly in IE9.
It is considered stable and we recommend to update all existing Roundcube installation with this release. For a complete list of changes see http://trac.roundcube.net/wiki/Changelog. Packages can be downloaded from the usual place: http://roundcube.net/download
Have fun and happy easter, Thomas
Hi all,
I just upgraded to 0.5.2. Easy to do. However, I noticed that
the address book entries have disappeared.
The entries are still in the dB, yet RC does not display these.
Example: | *5* | | 36 | 2011-04-01 16:32:09 | 1 | lyn.jim@aaa.co.uk
| fred.fred@aaaa.co.uk | | | BEGIN:VCARD VERSION:3.0 FN:lyn.jim@aaa.co.uk N:;;;; EMAIL;type=INTERNET;type=HOME;type=pref:fred.fred@aaa.co.uk END:VCARDPerhaps the userids are not matching up?
| user_id | int(10) unsigned | NO | MUL | 0
| |I ought to mend this before the users notice... Hmm.
Regards, S
By the way, just checked the apache error logs and noticed these:
[Wed Apr 27 12:24:31 2011] [crit] [client 11.11.11.11] (13)Permission denied: /www/roundcube/admin/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable, referer: https://webmail.xxx.xxx.co.uk/?_task=logout
There is no /www/roundcube/admin/.htaccess configured. Why is it trying to access this? Perhaps there I can disable this somewhere as I don't use htaccess files.
Address book problem is likely not upgrade related as only one user affected. All others report addresses being there. Please close/ignore this thread I have started.
On 04/27/2011 12:42 PM, J4K wrote:
On 04/27/2011 12:34 PM, J4K wrote:
On 04/22/2011 08:02 PM, Thomas Bruederli wrote:
Dear Roundcube users and lovers,
We're happy to announce another release of the Roundcube webmail suite. This service update brings some more bug fixes and stability improvements and it includes an updated version of the TinyMCE editor which is now supposed to work correctly in IE9.
It is considered stable and we recommend to update all existing Roundcube installation with this release. For a complete list of changes see http://trac.roundcube.net/wiki/Changelog. Packages can be downloaded from the usual place: http://roundcube.net/download
Have fun and happy easter, Thomas
Hi all,
I just upgraded to 0.5.2. Easy to do. However, I noticed that
the address book entries have disappeared.
The entries are still in the dB, yet RC does not display these.
Example: | *5* | | 36 | 2011-04-01 16:32:09 | 1 | lyn.jim@aaa.co.uk
| fred.fred@aaaa.co.uk | | | BEGIN:VCARD VERSION:3.0 FN:lyn.jim@aaa.co.uk N:;;;; EMAIL;type=INTERNET;type=HOME;type=pref:fred.fred@aaa.co.uk END:VCARDPerhaps the userids are not matching up?
| user_id | int(10) unsigned | NO | MUL | 0
| |I ought to mend this before the users notice... Hmm.
Regards, S
By the way, just checked the apache error logs and noticed these:
[Wed Apr 27 12:24:31 2011] [crit] [client 11.11.11.11] (13)Permission denied: /www/roundcube/admin/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable, referer: https://webmail.xxx.xxx.co.uk/?_task=logout
There is no /www/roundcube/admin/.htaccess configured. Why is it trying to access this? Perhaps there I can disable this somewhere as I don't use htaccess files.
*Address book problem is likely not upgrade related as only one user affected. All others report addresses being there. Please close/ignore this thread I have started.*
~Ö¿Ö~
Hi
I strongly recommend yo create the .htaccess files to secure your installation from unsavoury access.
R e g a r d s M i c h a e l L G r i f f i n Please consider the environment before printing this email
He who play in root, eventually kill tree.
On 27 April 2011 12:42, J4K junk4@klunky.co.uk wrote:
On 04/27/2011 12:34 PM, J4K wrote:
On 04/22/2011 08:02 PM, Thomas Bruederli wrote:
Dear Roundcube users and lovers,
We're happy to announce another release of the Roundcube webmail suite. This service update brings some more bug fixes and stability improvements and it includes an updated version of the TinyMCE editor which is now supposed to work correctly in IE9.
It is considered stable and we recommend to update all existing Roundcube installation with this release. For a complete list of changes see http://trac.roundcube.net/wiki/Changelog. Packages can be downloaded from the usual place: http://roundcube.net/download
Have fun and happy easter, Thomas
Hi all,
I just upgraded to 0.5.2. Easy to do. However, I noticed that the address book entries have disappeared.
The entries are still in the dB, yet RC does not display these.
Example: | 5 | | 36 | 2011-04-01 16:32:09 | 1 | lyn.jim@aaa.co.uk | fred.fred@aaaa.co.uk | | | BEGIN:VCARD VERSION:3.0 FN:lyn.jim@aaa.co.uk N:;;;; EMAIL;type=INTERNET;type=HOME;type=pref:fred.fred@aaa.co.uk END:VCARD
Perhaps the userids are not matching up?
| user_id | int(10) unsigned | NO | MUL | 0 | |
I ought to mend this before the users notice... Hmm.
Regards, S
By the way, just checked the apache error logs and noticed these:
[Wed Apr 27 12:24:31 2011] [crit] [client 11.11.11.11] (13)Permission denied: /www/roundcube/admin/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable, referer: https://webmail.xxx.xxx.co.uk/?_task=logout
There is no /www/roundcube/admin/.htaccess configured. Why is it trying to access this? Perhaps there I can disable this somewhere as I don't use htaccess files.
-- List info: http://lists.roundcube.net/users/ BT/c4100e82
No, I disagree. Why do I need an .htaccess?
All files are either 644 400, and all dirs are either 700 or 755 where applicable.
All files owned by root.
Please elaborate?
On 04/27/2011 08:01 PM, Michael wrote:
Hi
I strongly recommend yo create the .htaccess files to secure your installation from unsavoury access.
R e g a r d s M i c h a e l L G r i f f i n Please consider the environment before printing this email
He who play in root, eventually kill tree.
On 27 April 2011 12:42, J4K junk4@klunky.co.uk wrote:
On 04/27/2011 12:34 PM, J4K wrote:
On 04/22/2011 08:02 PM, Thomas Bruederli wrote:
Dear Roundcube users and lovers,
We're happy to announce another release of the Roundcube webmail suite. This service update brings some more bug fixes and stability improvements and it includes an updated version of the TinyMCE editor which is now supposed to work correctly in IE9.
It is considered stable and we recommend to update all existing Roundcube installation with this release. For a complete list of changes see http://trac.roundcube.net/wiki/Changelog. Packages can be downloaded from the usual place: http://roundcube.net/download
Have fun and happy easter, Thomas
Hi all,
I just upgraded to 0.5.2. Easy to do. However, I noticed that the
address book entries have disappeared.
The entries are still in the dB, yet RC does not display these.
Example: | 5 | | 36 | 2011-04-01 16:32:09 | 1 | lyn.jim@aaa.co.uk | fred.fred@aaaa.co.uk | | | BEGIN:VCARD VERSION:3.0 FN:lyn.jim@aaa.co.uk N:;;;; EMAIL;type=INTERNET;type=HOME;type=pref:fred.fred@aaa.co.uk END:VCARD
Perhaps the userids are not matching up?
| user_id | int(10) unsigned | NO | MUL | 0 | |
I ought to mend this before the users notice... Hmm.
Regards, S
By the way, just checked the apache error logs and noticed these:
[Wed Apr 27 12:24:31 2011] [crit] [client 11.11.11.11] (13)Permission denied: /www/roundcube/admin/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable, referer: https://webmail.xxx.xxx.co.uk/?_task=logout
There is no /www/roundcube/admin/.htaccess configured. Why is it trying to access this? Perhaps there I can disable this somewhere as I don't use htaccess files.
-- List info: http://lists.roundcube.net/users/ BT/c4100e82
For example for PHP settings, as these can be adjusted for Roundcube in the .htaccess. If you have a dedicated server for Roundcube then you could also set it all in your php.ini.
What about the log dirs? They must be writable by the web server or do you use syslog?
(sorry jkl for sending this twice, forgot to add RC users list to cc)
On Wed, Apr 27, 2011 at 8:38 PM, JKL junk4@klunky.co.uk wrote:
No, I disagree. Why do I need an .htaccess?
All files are either 644 400, and all dirs are either 700 or 755 where applicable.
All files owned by root.
Please elaborate?
On 04/27/2011 08:01 PM, Michael wrote:
Hi
I strongly recommend yo create the .htaccess files to secure your installation from unsavoury access.
R e g a r d s M i c h a e l L G r i f f i n Please consider the environment before printing this email
He who play in root, eventually kill tree.
On 27 April 2011 12:42, J4K junk4@klunky.co.uk wrote:
On 04/27/2011 12:34 PM, J4K wrote:
On 04/22/2011 08:02 PM, Thomas Bruederli wrote:
Dear Roundcube users and lovers,
We're happy to announce another release of the Roundcube webmail suite. This service update brings some more bug fixes and stability improvements and it includes an updated version of the TinyMCE editor which is now supposed to work correctly in IE9.
It is considered stable and we recommend to update all existing Roundcube installation with this release. For a complete list of changes see http://trac.roundcube.net/wiki/Changelog. Packages can be downloaded from the usual place: http://roundcube.net/download
Have fun and happy easter, Thomas
Hi all,
I just upgraded to 0.5.2. Easy to do. However, I noticed that the
address book entries have disappeared.
The entries are still in the dB, yet RC does not display these.
Example: | 5 | | 36 | 2011-04-01 16:32:09 | 1 | lyn.jim@aaa.co.uk | fred.fred@aaaa.co.uk | | | BEGIN:VCARD VERSION:3.0 FN:lyn.jim@aaa.co.uk N:;;;; EMAIL;type=INTERNET;type=HOME;type=pref:fred.fred@aaa.co.uk END:VCARD
Perhaps the userids are not matching up?
| user_id | int(10) unsigned | NO | MUL | 0 | |
I ought to mend this before the users notice... Hmm.
Regards, S
By the way, just checked the apache error logs and noticed these:
[Wed Apr 27 12:24:31 2011] [crit] [client 11.11.11.11] (13)Permission denied: /www/roundcube/admin/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable, referer: https://webmail.xxx.xxx.co.uk/?_task=logout
There is no /www/roundcube/admin/.htaccess configured. Why is it trying
to
access this? Perhaps there I can disable this somewhere as I don't use htaccess files.
-- List info: http://lists.roundcube.net/users/ BT/c4100e82
-- List info: http://lists.roundcube.net/users/ BT/e21360c6
Hi Claudio,
PHP is only set in /etc/php5/apache2/php.ini (or somewhere like this).
Syslog is used for logging.
No logging to files.
The only writeable directory is /TEMP, which is 770 and root:www-data. Additionally, the mounts have nosuid on there. However, I would like to relocate the temp dir off to another mount point which is mounted with nosuid,noexec. Unsure if Roundcube allows for this. Does anyone know?
J.
On Wed, 27 Apr 2011 21:26:56 +0200, Claudio Kuenzler wrote:
For example for PHP settings, as these can be
adjusted for Roundcube in the .htaccess.
If you have a dedicated
server for Roundcube then you could also set it all in your php.ini.
What about the log dirs? They must be writable by the web server or
do you use syslog?
(sorry jkl for sending this twice, forgot to add
RC users list to cc)
On Wed, Apr 27, 2011 at 8:38 PM, JKL wrote:
No, I disagree. Why do I need an .htaccess?
All files are
either 644 400, and all dirs are either 700 or 755 where
applicable.
All files owned by root.
Please elaborate?
On 04/27/2011 08:01 PM, Michael wrote:
Hi
I strongly
recommend yo create the .htaccess files to secure your
installation
from unsavoury access.
R e g a r d s M i c h a e l L G r
i f f i n
Please consider the environment before printing this
He who play in root, eventually kill tree.
On 27 April 2011 12:42, J4K wrote:
On 04/27/2011 12:34
PM, J4K wrote:
On 04/22/2011 08:02 PM, Thomas Bruederli
wrote:
Dear Roundcube users and lovers,
We're
happy to announce another release of the Roundcube webmail
suite.
This service update brings some more bug fixes and stability
improvements and it includes an updated version of the TinyMCE editor
which is now supposed to work correctly in IE9.
It is
considered stable and we recommend to update all existing
Roundcube installation with this release. For a complete list of
changes see http://trac.roundcube.net/wiki/Changelog [2]. Packages can be
downloaded from the usual place: http://roundcube.net/download
[3]
Have fun and happy easter, Thomas
Hi
all,
I just upgraded to 0.5.2. Easy to do. However, I
noticed that the
address book entries have disappeared.
The entries are still in the dB, yet RC does not display these.
Example: | 5 | | 36 | 2011-04-01 16:32:09 | 1 |
lyn.jim@aaa.co.uk [4]
| fred.fred@aaaa.co.uk [5] | | |
BEGIN:VCARD
VERSION:3.0 FN:lyn.jim@aaa.co.uk [6]
N:;;;;
EMAIL;type=INTERNET;type=HOME;type=pref:fred.fred@aaa.co.uk
[7]
END:VCARD
Perhaps the userids are not matching
up?
| user_id | int(10) unsigned | NO | MUL | 0 | |
I ought to mend this before the users notice... Hmm.
Regards, S
By the way, just checked the apache error logs
and noticed these:
[Wed Apr 27 12:24:31 2011] [crit] [client
11.11.11.11] (13)Permission
denied: /www/roundcube/admin/.htaccess
pcfg_openfile: unable to check
htaccess file, ensure it is
readable, referer:
[8]
There is no /www/roundcube/admin/.htaccess configured.
Why is it trying to
access this? Perhaps there I can disable this
somewhere as I don't use
htaccess files.
--
List info: http://lists.roundcube.net/users/ [9]
BT/c4100e82
-- List info:
http://lists.roundcube.net/users/ [10]
BT/e21360c6
[1] mailto:junk4@klunky.co.uk [2] http://trac.roundcube.net/wiki/Changelog [3] http://roundcube.net/download [4] mailto:lyn.jim@aaa.co.uk [5] mailto:fred.fred@aaaa.co.uk [6] mailto:FN%3Alyn.jim@aaa.co.uk [7] mailto:pref%3Afred.fred@aaa.co.uk [8] https://webmail.xxx.xxx.co.uk/?_task=logout [9] http://lists.roundcube.net/users/ [10] http://lists.roundcube.net/users/ [11] mailto:junk4@klunky.co.uk
Hi,
I am now back in work, and can check the server.
The RC installation is already on a mount point with noexec,nosuid. I could not remember last night. I don't know what could be gained by moving the temp dir outside of the RC installation. Might be unwanted.
I use syslog, but the logging directory is set-up any way. Perms are root:www-date, 770.
A note about the vhost config: (logs dir is defined in case it is ever used. Unlikely that this is) <Directory /www/roundcube/temp> Options -FollowSymLinks AllowOverride None Order allow,deny Deny from all </Directory> <Directory /www/roundcube/logs> Options -FollowSymLinks AllowOverride None Order allow,deny Deny from all </Directory>
On 04/27/2011 10:30 PM, JK4 wrote:
Hi Claudio,
PHP is only set in /etc/php5/apache2/php.ini (or somewhere like this).
Syslog is used for logging.
No logging to files.
The only writeable directory is *<installdir>/temp*, which is 770 and root:www-data. Additionally, the mounts have nosuid on there. However, I would like to relocate the temp dir off to another mount point which is mounted with nosuid,noexec. Unsure if Roundcube allows for this. Does anyone know?
J.
On Wed, 27 Apr 2011 21:26:56 +0200, Claudio Kuenzler wrote:
For example for PHP settings, as these can be adjusted for Roundcube in the .htaccess. If you have a dedicated server for Roundcube then you could also set it all in your php.ini.
What about the log dirs? They must be writable by the web server or do you use syslog?
(sorry jkl for sending this twice, forgot to add RC users list to cc)
On Wed, Apr 27, 2011 at 8:38 PM, JKL <junk4@klunky.co.uk mailto:junk4@klunky.co.uk> wrote:
No, I disagree. Why do I need an .htaccess? All files are either 644 400, and all dirs are either 700 or 755 where applicable. All files owned by root. Please elaborate? On 04/27/2011 08:01 PM, Michael wrote: > Hi > > I strongly recommend yo create the .htaccess files to secure your > installation from unsavoury access. > > R e g a r d s > M i c h a e l L G r i f f i n > Please consider the environment before printing this email > > He who play in root, > eventually kill tree. > > > > On 27 April 2011 12:42, J4K <junk4@klunky.co.uk <mailto:junk4@klunky.co.uk>> wrote: >> On 04/27/2011 12:34 PM, J4K wrote: >> >> On 04/22/2011 08:02 PM, Thomas Bruederli wrote: >> >> Dear Roundcube users and lovers, >> >> We're happy to announce another release of the Roundcube webmail >> suite. This service update brings some more bug fixes and stability >> improvements and it includes an updated version of the TinyMCE editor >> which is now supposed to work correctly in IE9. >> >> It is considered stable and we recommend to update all existing >> Roundcube installation with this release. For a complete list of >> changes see http://trac.roundcube.net/wiki/Changelog. Packages can be >> downloaded from the usual place: http://roundcube.net/download >> >> Have fun and happy easter, >> Thomas >> >> Hi all, >> >> I just upgraded to 0.5.2. Easy to do. However, I noticed that the >> address book entries have disappeared. >> >> The entries are still in the dB, yet RC does not display these. >> >> Example: >> | 5 | >> | 36 | 2011-04-01 16:32:09 | 1 | >> lyn.jim@aaa.co.uk <mailto:lyn.jim@aaa.co.uk> >> | fred.fred@aaaa.co.uk <mailto:fred.fred@aaaa.co.uk> | | | BEGIN:VCARD >> VERSION:3.0 >> FN:lyn.jim@aaa.co.uk <mailto:FN%3Alyn.jim@aaa.co.uk> >> N:;;;; >> EMAIL;type=INTERNET;type=HOME;type=pref:fred.fred@aaa.co.uk <mailto:pref%3Afred.fred@aaa.co.uk> >> END:VCARD >> >> Perhaps the userids are not matching up? >> >> | user_id | int(10) unsigned | NO | MUL | 0 >> | | >> >> I ought to mend this before the users notice... Hmm. >> >> Regards, S >> >> By the way, just checked the apache error logs and noticed these: >> >> [Wed Apr 27 12:24:31 2011] [crit] [client 11.11.11.11] (13)Permission >> denied: /www/roundcube/admin/.htaccess pcfg_openfile: unable to check >> htaccess file, ensure it is readable, referer: >> https://webmail.xxx.xxx.co.uk/?_task=logout >> >> There is no /www/roundcube/admin/.htaccess configured. Why is it trying to >> access this? Perhaps there I can disable this somewhere as I don't use >> htaccess files. >> >> >> >> -- >> List info: http://lists.roundcube.net/users/ >> BT/c4100e82 >> >> -- List info: http://lists.roundcube.net/users/ BT/e21360c6
On 27/04/2011 21:30, JK4 wrote:
The only writeable directory is *<installdir>/temp*, which is 770 and root:www-data.
The attack you are mainly worried about is that if the /temp dir can be reached via some real URL, then the user contrives to make your application create some temp file called abc.php or abc.ssi or .pl or .lua or something else that your www-server will "execute" when the user visits that file directly
This is usually more of a problem for nginx than apache users (with apache you can toss a .htaccess into temp which disables PHP in that dir). With Nginx, many of the suggested configs cause any url of the form *.php to be passed to the php interpreter (note I said URL, not real file) - with a bit of lateral thinking you can often contrive ways to make the php interpreter execute some interesting file based on the input URL... (eg create some directory called abc.php and observe what certain php configs will do when asked to exec it...)
Basically the rule is never to allow a direct path through to any asset which has been created from some untrusted source, ie any upload/temp file should never be directly accessible via a url (at least until you have sanitised it in some appropriate way). Simplest way to achieve this is to move any upload dirs out of the htdocs path...
List info: http://lists.roundcube.net/users/ BT/9b404e9e