[ASA-201804-8] roundcubemail: arbitrary command execution
Jelle van der Waa
jelle at archlinux.org
Mon Apr 23 17:20:17 UTC 2018
Arch Linux Security Advisory ASA-201804-8
Date : 2018-04-19
CVE-ID : CVE-2018-9846
Package : roundcubemail
Type : arbitrary command execution
Remote : Yes
Link : https://security.archlinux.org/AVG-670
The package roundcubemail before version 1.3.6-1 is vulnerable to
arbitrary command execution.
Upgrade to 1.3.6-1.
# pacman -Syu "roundcubemail>=1.3.6-1"
The problem has been fixed upstream in version 1.3.6.
Disable the archive plugin.
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin
enabled and configured, it's possible to exploit the unsanitized, user-
controlled "_uid" parameter (in an archive.php
_task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform
an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a
sequence. NOTE: this is less easily exploitable in 1.3.4 and later
because of a Same Origin Policy protection mechanism.
A remote attacker is able to execute arbitrary IMAP commands via a
specially crafted url.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: not available
More information about the arch-security