Roundcube 1.2.2 – Remote Code Execution Vulnerability
by CIRT Team
Description:
In Roundcube 1.2.2 and earlier, user-controlled input flows unsanitized into the fifth argument of a call to PHP’s built-in function mail() which is documented as security critical. The problem is that the invocation of the mail() function will cause PHP to execute the sendmail program. The fifth argument allows to pass arguments to this execution which allows a configuration of sendmail. Since sendmail offers the –X option to log all mail traffic in a file, an attacker can abuse this option and spawn a malicious PHP file in the webroot directory of the attacked server.
Impact: A malicious user can remotely execute arbitrary commands on the underlying operating system simply by writing an email in Roundcube 1.2.2 (>= 1.0).
Mitigation: Vendor has released patch version.
Reference URL’s:
- https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
- https://roundcube.net/news/2016/09/28/updates-1.2.2-and-1.1.6-published
Recommended Posts
Cyber Threat Alert: Surge in Attacks via Compromised Third-Party Service Providers
08 Feb 2024 - Articles, English articles, Security Advisories & Alerts
Subscribe here
MEMBER OF:
