Roundcube 1.2.2 – Remote Code Execution Vulnerability

by CIRT Team

Description:

In Roundcube 1.2.2 and earlier, user-controlled input flows unsanitized into the fifth argument of a call to PHP’s built-in function mail() which is documented as security critical. The problem is that the invocation of the mail() function will cause PHP to execute the sendmail program. The fifth argument allows to pass arguments to this execution which allows a configuration of sendmail. Since sendmail offers the –X option to log all mail traffic in a file, an attacker can abuse this option and spawn a malicious PHP file in the webroot directory of the attacked server.

Impact: A malicious user can remotely execute arbitrary commands on the underlying operating system simply by writing an email in Roundcube 1.2.2 (>= 1.0).

Mitigation: Vendor has released patch version.

Reference URL’s:

• https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
• https://roundcube.net/news/2016/09/28/updates-1.2.2-and-1.1.6-published

CIRT Team

Recommended Posts

Enhancing Situational Awareness on Emerging Cyber Threats

09 Sep 2023 - English articles, News, Security Advisories & Alerts, Uncategorized

UPDATE ON SITUATIONAL ALERT

08 Aug 2023 - Articles, News, Security Advisories & Alerts, Uncategorized

SITUATIONAL ALERT ON CYBER THREATS – August 2023

04 Aug 2023 - Security Advisories & Alerts