Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 6 Jul 2015 14:19:56 +0200
From: Andreas Stieger <>
Subject: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and


I am requesting CVE identifiers for the three vulnerabilities fixed in
roundcubemail 1.1.2 and 1.0.6. Quotes shortened for brevity and relevance:

> The security-related fixes in particular are:
> * XSS vulnerability in _mbox argument

Fix XSS vulnerability in _mbox argument handling (#1490417

The XSS-vulnerability can be triggered by appending malicious script
code to the _mbox-parameter. The following example will pop an alert box:


Attackers could use this vulnerability to steal cookies or extract

Not claimed to affect 1.0.

> * security improvement in contact photo handling

Fix security issue in contact photo handling (#1490379

There is a potential for an arbitrary read from an authenticated user
who uploads a contact (vCard) with a specially crafted POST.
by supplying the "_alt" param in the POST. User must be authenticated.
I was able to read any file on disk (the apache has access to, e.g.
config/ using GET request


> * potential info disclosure from temp directory

Fix potential info disclosure issue by protecting directory access
(#1490378 <>)

The logs directory is not protected from browsing. Most log entries are
not bad, but one became evident on my host that was pretty nasty.

It looked like the following:

[25-Apr-2015 04:03:11 -0400]: <ijpv9kqo> DB Error: [1062] Duplicate entry 'ijpv9kqofvpksxxxxxxxxxxxx' for key 'PRIMARY' (SQL Query: INSERT INTO `session` (`sess_id`, `vars`, `ip`, `created`, `changed`) VALUES ('ijpv9kqofvpksxxxxxxxx', 'xxxxxxxxxxxxxxxxxxxxxxx=', '', now(), now())) in /var/www/html/roundcubemail-1.1.1/program/lib/Roundcube/rcube_db.php on line 543 (POST /roundcubemail-1.1.1/?_task=mail&_action=refresh?_task=&_action=)

I obfuscated the sensitive fields, but this would be enough for a
non-credential user to view the file (via the webroot/logs/errors file),
and then replace their own cookies with the entry from above to log in
as a user that was listed there.

This seems to be a very rare occurrence, but considering that other
SQL/other actions might report other sensitive data into this file, it
might be worth automatically protecting this directory with an .htaccess
file, or prepending a php tag to avoid overt reading by any
unauthenticated user.

Not claimed to affect 1.0.


Andreas Stieger <>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg)

Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.