Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon,  6 Jul 2015 22:57:07 -0400 (EDT)
From: cve-assign@...re.org
To: astieger@...e.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> From https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/

> Fix XSS vulnerability in _mbox argument handling
> http://trac.roundcube.net/ticket/1490417
> 
> The XSS vulnerability can be triggered by appending malicious script
> code to the _mbox parameter.
> 
> https://{YOURSERVER}/?_task=mail&_mbox=[XSS]
> 
> Commit:
> 1.1: http://trac.roundcube.net/changeset/b782815dac/github
> Not claimed to affect 1.0.

Use CVE-2015-5381.


> Fix security issue in contact photo handling
> http://trac.roundcube.net/ticket/1490379
> 
> There is a potential for an arbitrary read from an authenticated user
> who uploads a contact (vCard) with a specially crafted POST.
> [...]
> by supplying the "_alt" param in the POST. User must be authenticated.
> [...]
> I was able to read any file on disk (the apache has access to, e.g.
> config/config.inc.php) using GET request
> 
> Commits:
> 1.1: http://trac.roundcube.net/changeset/681ba6fc3/github
> 1.0: http://trac.roundcube.net/changeset/6ccd4c54b/github

Use CVE-2015-5382. For 1.1, the security fix for _alt seems to be
announced in http://trac.roundcube.net/changeset/e84fafcec/github --
do you mean that part of the _alt vulnerability was fixed in
http://trac.roundcube.net/changeset/681ba6fc3/github and then a
different part of the _alt vulnerability was fixed in
http://trac.roundcube.net/changeset/e84fafcec/github (if so, then
there would potentially be another CVE ID)?


> Fix potential info disclosure issue by protecting directory access
> http://trac.roundcube.net/ticket/1490378
> 
> The logs directory is not protected from browsing. Most log entries are
> not bad, but one became evident on my host that was pretty nasty.
> 
> It looked like the following:
> 
> [25-Apr-2015 04:03:11 -0400]: <ijpv9kqo> DB Error: [1062]
>   Duplicate entry 'ijpv9kqofvpksxxxxxxxxxxxx' for key 'PRIMARY' (SQL Query: INSERT INTO `session` (`sess_id`
> 
> I obfuscated the sensitive fields, but this would be enough for a
> non-credential user to view the file (via the webroot/logs/errors file),
> and then replace their own cookies with the entry from above to log in
> as a user that was listed there.
> 
> This seems to be a very rare occurrence, but considering that other
> SQL/other actions might report other sensitive data into this file, it
> might be worth automatically protecting this directory with an .htaccess
> file, or prepending a php tag to avoid overt reading by any
> unauthenticated user.
> 
> Commits:
> http://trac.roundcube.net/changeset/012555c1c/github
> 1.1: http://trac.roundcube.net/changeset/16640c7fb0c8/github
> Not claimed to affect 1.0.

>> Add .htaccess files to deny access to config, temp, logs

Use CVE-2015-5383. Note that
http://trac.roundcube.net/browser/github/INSTALL states:

  REQUIREMENTS
  * .htaccess support allowing overrides for DirectoryIndex

Thus, we wouldn't want to have a separate CVE ID for a scenario in
which someone attempts to use Roundcube with nginx.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVmz8CAAoJEKllVAevmvmsLckIAL47aKRrnOeVXtXHMTUf+6/z
w7Q6yHbobqqZRCd5eoXjS6eZZynhivrU07M78N9CBTGbDeIQW2HgKN9O0y/dXpsJ
gRSzYxYDI/ZmZOPpzgVz8fdnShMSgBllTw7aW3LtzopLcQr1QBJ/j0JGp/CIyoPK
dRV8uRVkiiM186+qQ87smaihvRf8kzjGVFb3+1xMmv2wJiTYO+0WG1efvBCEpwL+
wOayt6VNgKPrr0MCdopzbng91YPPgyOmGPZnfPRS1iyFxvXJaFSU2BeYs8NVpXtl
wXJc9Fe45Vn/6Rjo+uIIgai32Qk3+H23sE+Rki0eHjF8V3nUIBidH0SByBZslUY=
=6Mwi
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ