Roundcube 1.2.2 – Remote Code Execution Vulnerability
by CIRT Team
In Roundcube 1.2.2 and earlier, user-controlled input flows unsanitized into the fifth argument of a call to PHP’s built-in function mail() which is documented as security critical. The problem is that the invocation of the mail() function will cause PHP to execute the sendmail program. The fifth argument allows to pass arguments to this execution which allows a configuration of sendmail. Since sendmail offers the –X option to log all mail traffic in a file, an attacker can abuse this option and spawn a malicious PHP file in the webroot directory of the attacked server.
Impact: A malicious user can remotely execute arbitrary commands on the underlying operating system simply by writing an email in Roundcube 1.2.2 (>= 1.0).
Mitigation: Vendor has released patch version.