Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon,  6 Jul 2015 22:57:07 -0400 (EDT)
Subject: Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6

Hash: SHA1

> From

> Fix XSS vulnerability in _mbox argument handling
> The XSS vulnerability can be triggered by appending malicious script
> code to the _mbox parameter.
> https://{YOURSERVER}/?_task=mail&_mbox=[XSS]
> Commit:
> 1.1:
> Not claimed to affect 1.0.

Use CVE-2015-5381.

> Fix security issue in contact photo handling
> There is a potential for an arbitrary read from an authenticated user
> who uploads a contact (vCard) with a specially crafted POST.
> [...]
> by supplying the "_alt" param in the POST. User must be authenticated.
> [...]
> I was able to read any file on disk (the apache has access to, e.g.
> config/ using GET request
> Commits:
> 1.1:
> 1.0:

Use CVE-2015-5382. For 1.1, the security fix for _alt seems to be
announced in --
do you mean that part of the _alt vulnerability was fixed in and then a
different part of the _alt vulnerability was fixed in (if so, then
there would potentially be another CVE ID)?

> Fix potential info disclosure issue by protecting directory access
> The logs directory is not protected from browsing. Most log entries are
> not bad, but one became evident on my host that was pretty nasty.
> It looked like the following:
> [25-Apr-2015 04:03:11 -0400]: <ijpv9kqo> DB Error: [1062]
>   Duplicate entry 'ijpv9kqofvpksxxxxxxxxxxxx' for key 'PRIMARY' (SQL Query: INSERT INTO `session` (`sess_id`
> I obfuscated the sensitive fields, but this would be enough for a
> non-credential user to view the file (via the webroot/logs/errors file),
> and then replace their own cookies with the entry from above to log in
> as a user that was listed there.
> This seems to be a very rare occurrence, but considering that other
> SQL/other actions might report other sensitive data into this file, it
> might be worth automatically protecting this directory with an .htaccess
> file, or prepending a php tag to avoid overt reading by any
> unauthenticated user.
> Commits:
> 1.1:
> Not claimed to affect 1.0.

>> Add .htaccess files to deny access to config, temp, logs

Use CVE-2015-5383. Note that states:

  * .htaccess support allowing overrides for DirectoryIndex

Thus, we wouldn't want to have a separate CVE ID for a scenario in
which someone attempts to use Roundcube with nginx.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.