Date: Thu, 28 Mar 2013 10:47:27 -0400 (EDT) From: Jan Lieskovsky <jlieskov@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org> Subject: CVE Request -- roundcubemail: Local file inclusion via web UI modification of certain config options Hello Kurt, Steve, vendors, RoundCube Webmail upstream has released 0.8.6 and 0.7.3 versions to correct one security flaw: A local file inclusion flaw was found in the way RoundCube Webmail, a browser-based multilingual IMAP client, performed validation of the 'generic_message_footer' value provided via web user interface in certain circumstances. A remote attacker could issue a specially-crafted request that, when processed by RoundCube Webmail could allow an attacker to obtain arbitrary file on the system, accessible with the privileges of the user running RoundCube Webmail client. References:  https://bugzilla.redhat.com/show_bug.cgi?id=928835  http://sourceforge.net/news/?group_id=139281&id=310497  http://lists.roundcube.net/pipermail/dev/2013-March/022328.html  https://bugs.gentoo.org/show_bug.cgi?id=463554 Upstream patches:  http://ow.ly/jtQD0  http://ow.ly/jtQHM  http://ow.ly/jtQK0  http://ow.ly/jtQNd Could you allocate a CVE id for this? Than you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.