[arch-security] [ASA-201601-18] roundcubemail: remote code execution
Remi Gacogne
rgacogne at archlinux.org
Sun Jan 17 15:30:30 UTC 2016
Arch Linux Security Advisory ASA-201601-18
==========================================
Severity: High
Date : 2016-01-17
CVE-ID : CVE-2015-8770
Package : roundcubemail
Type : remote code execution
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package roundcubemail before version 1.2beta-2 is vulnerable to
remote code execution.
Resolution
==========
Upgrade to 1.2beta-2.
# pacman -Syu "roundcubemail>=1.2beta-2"
The problem has been fixed upstream in version 1.0.8 and 1.1.4.
Workaround
==========
None.
Description
===========
High-Tech Bridge Security Research Lab discovered a path traversal
vulnerability in Roundcube. Vulnerability can be exploited to gain
access to sensitive information and under certain circumstances to
execute arbitrary code and totally compromise the vulnerable server.
The vulnerability exists due to insufficient sanitization of "_skin"
HTTP POST parameter in "/index.php" script when changing between
different skins of the web application. A remote authenticated attacker
can use path traversal sequences (e.g. "../../") to load a new skin from
arbitrary location on the system, readable by the webserver.
Exploitation of the vulnerability requires valid user credentials and
ability to create files on vulnerable host.
Impact
======
A remote authenticated attacker can access sensitive information and may
be able to execute arbitrary code on the affected host.
References
==========
https://bugs.archlinux.org/task/47764
https://www.htbridge.com/advisory/HTB23283
https://access.redhat.com/security/cve/CVE-2015-8770
https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/
https://github.com/roundcube/roundcubemail/commit/10e5192a2b1bc90ec137f5e69d0aa072c1210d6d
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160117/4437ce44/attachment.asc>
More information about the arch-security
mailing list