Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon,  6 Jul 2015 22:57:07 -0400 (EDT)
Subject: Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6

Hash: SHA1

> From

> Fix XSS vulnerability in _mbox argument handling
> The XSS vulnerability can be triggered by appending malicious script
> code to the _mbox parameter.
> https://{YOURSERVER}/?_task=mail&_mbox=[XSS]
> Commit:
> 1.1:
> Not claimed to affect 1.0.

Use CVE-2015-5381.

> Fix security issue in contact photo handling
> There is a potential for an arbitrary read from an authenticated user
> who uploads a contact (vCard) with a specially crafted POST.
> [...]
> by supplying the "_alt" param in the POST. User must be authenticated.
> [...]
> I was able to read any file on disk (the apache has access to, e.g.
> config/ using GET request
> Commits:
> 1.1:
> 1.0:

Use CVE-2015-5382. For 1.1, the security fix for _alt seems to be
announced in --
do you mean that part of the _alt vulnerability was fixed in and then a
different part of the _alt vulnerability was fixed in (if so, then
there would potentially be another CVE ID)?

> Fix potential info disclosure issue by protecting directory access
> The logs directory is not protected from browsing. Most log entries are
> not bad, but one became evident on my host that was pretty nasty.
> It looked like the following:
> [25-Apr-2015 04:03:11 -0400]: <ijpv9kqo> DB Error: [1062]
>   Duplicate entry 'ijpv9kqofvpksxxxxxxxxxxxx' for key 'PRIMARY' (SQL Query: INSERT INTO `session` (`sess_id`
> I obfuscated the sensitive fields, but this would be enough for a
> non-credential user to view the file (via the webroot/logs/errors file),
> and then replace their own cookies with the entry from above to log in
> as a user that was listed there.
> This seems to be a very rare occurrence, but considering that other
> SQL/other actions might report other sensitive data into this file, it
> might be worth automatically protecting this directory with an .htaccess
> file, or prepending a php tag to avoid overt reading by any
> unauthenticated user.
> Commits:
> 1.1:
> Not claimed to affect 1.0.

>> Add .htaccess files to deny access to config, temp, logs

Use CVE-2015-5383. Note that states:

  * .htaccess support allowing overrides for DirectoryIndex

Thus, we wouldn't want to have a separate CVE ID for a scenario in
which someone attempts to use Roundcube with nginx.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ