Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 09 Apr 2014 10:57:16 +0200
From: Felix Eckhofer <>
Subject: Session IP check bypass in Roundcube 1.0


Roundcube 1.0-beta added support for the the X-Forwarded-For and 
X-Real-IP HTTP headers when the check_ip configuration option is set. 
This effectively allows the attacker to bypass the session IP check 
completely by setting one of these headers to the victim's IP address.

The problem is still present in the latest version (1.0).
Bug is being tracked here:


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.