Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon,  6 Jul 2015 22:57:07 -0400 (EDT)
From: cve-assign@...re.org
To: astieger@...e.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> From https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/

> Fix XSS vulnerability in _mbox argument handling
> http://trac.roundcube.net/ticket/1490417
> 
> The XSS vulnerability can be triggered by appending malicious script
> code to the _mbox parameter.
> 
> https://{YOURSERVER}/?_task=mail&_mbox=[XSS]
> 
> Commit:
> 1.1: http://trac.roundcube.net/changeset/b782815dac/github
> Not claimed to affect 1.0.

Use CVE-2015-5381.


> Fix security issue in contact photo handling
> http://trac.roundcube.net/ticket/1490379
> 
> There is a potential for an arbitrary read from an authenticated user
> who uploads a contact (vCard) with a specially crafted POST.
> [...]
> by supplying the "_alt" param in the POST. User must be authenticated.
> [...]
> I was able to read any file on disk (the apache has access to, e.g.
> config/config.inc.php) using GET request
> 
> Commits:
> 1.1: http://trac.roundcube.net/changeset/681ba6fc3/github
> 1.0: http://trac.roundcube.net/changeset/6ccd4c54b/github

Use CVE-2015-5382. For 1.1, the security fix for _alt seems to be
announced in http://trac.roundcube.net/changeset/e84fafcec/github --
do you mean that part of the _alt vulnerability was fixed in
http://trac.roundcube.net/changeset/681ba6fc3/github and then a
different part of the _alt vulnerability was fixed in
http://trac.roundcube.net/changeset/e84fafcec/github (if so, then
there would potentially be another CVE ID)?


> Fix potential info disclosure issue by protecting directory access
> http://trac.roundcube.net/ticket/1490378
> 
> The logs directory is not protected from browsing. Most log entries are
> not bad, but one became evident on my host that was pretty nasty.
> 
> It looked like the following:
> 
> [25-Apr-2015 04:03:11 -0400]: <ijpv9kqo> DB Error: [1062]
>   Duplicate entry 'ijpv9kqofvpksxxxxxxxxxxxx' for key 'PRIMARY' (SQL Query: INSERT INTO `session` (`sess_id`
> 
> I obfuscated the sensitive fields, but this would be enough for a
> non-credential user to view the file (via the webroot/logs/errors file),
> and then replace their own cookies with the entry from above to log in
> as a user that was listed there.
> 
> This seems to be a very rare occurrence, but considering that other
> SQL/other actions might report other sensitive data into this file, it
> might be worth automatically protecting this directory with an .htaccess
> file, or prepending a php tag to avoid overt reading by any
> unauthenticated user.
> 
> Commits:
> http://trac.roundcube.net/changeset/012555c1c/github
> 1.1: http://trac.roundcube.net/changeset/16640c7fb0c8/github
> Not claimed to affect 1.0.

>> Add .htaccess files to deny access to config, temp, logs

Use CVE-2015-5383. Note that
http://trac.roundcube.net/browser/github/INSTALL states:

  REQUIREMENTS
  * .htaccess support allowing overrides for DirectoryIndex

Thus, we wouldn't want to have a separate CVE ID for a scenario in
which someone attempts to use Roundcube with nginx.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVmz8CAAoJEKllVAevmvmsLckIAL47aKRrnOeVXtXHMTUf+6/z
w7Q6yHbobqqZRCd5eoXjS6eZZynhivrU07M78N9CBTGbDeIQW2HgKN9O0y/dXpsJ
gRSzYxYDI/ZmZOPpzgVz8fdnShMSgBllTw7aW3LtzopLcQr1QBJ/j0JGp/CIyoPK
dRV8uRVkiiM186+qQ87smaihvRf8kzjGVFb3+1xMmv2wJiTYO+0WG1efvBCEpwL+
wOayt6VNgKPrr0MCdopzbng91YPPgyOmGPZnfPRS1iyFxvXJaFSU2BeYs8NVpXtl
wXJc9Fe45Vn/6Rjo+uIIgai32Qk3+H23sE+Rki0eHjF8V3nUIBidH0SByBZslUY=
=6Mwi
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.