Roundcube Webmail Issues

Published: 2008-12-26
Last Updated: 2008-12-26 17:31:35 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

Reader Nathan sent us an update on a vulnerability in Roundcube's html2text.php.  He said that the exploit is being seen in the wild and that it works.  Roundcube is a PHP powered webmail solution which many prefer over Squirrelmail.

Nathan said that it was fixed on 12/12/2008, and an official release was on 12/16/2008,  He also suggested that readers consider Suhosin, mod_chroot, and the below PHP.ini settings:

allow_url_include = Off
allow_url_fopen = Off
session.use_only_cookies = 1
session.cookie_httponly = 1
expose_php = Off
display_errors = Off
register_globals = Off
disable_functions = phpinfo

Thanks for the information and the links Nathan!

Marcus H. Sachs
Director, SANS Internet Storm Center

0 comment(s)


Diary Archives