28.03.2013 01:02, Thomas Bruederli wrote: > After getting reports about a possible vulnerability of Roundcube > which allows an attacker to modify its users preferences in a way that > he/she can then read files from the server, we now published updated > packages as well as patches that fix this security issue. > > Please update all your Roundcube installations with the new versions > (0.9-rc2, 0.8.6, 0.7.4) or patch them with the published patches. > Download the latest version from http://roundcube.net/download > > Patch for 0.9.x: http://ow.ly/jtQD0 > Patch for 0.8.x: http://ow.ly/jtQHM > Patch for 0.7.x: http://ow.ly/jtQK0 > Patch for 0.6: http://ow.ly/jtQNd
Are previous versions affected? Looking at my 0.4 installation, save_prefs is implemented absolutely differently, there are lists of prefs for each section, and they are cherry-picked from a what client sends. > > In order to find out whether one of your users has vulnerable > preferences, you can run the following query on the Roundcube user > database: > > SELECT * FROM users WHERE preferences LIKE '%generic_message_footer%' > > If this returns any results, you should at least clear the > 'preferences' field of that user entry. Or better: entirely block the > user because he or she most likely tried to exploit your system. > > And here's some background about the vulnerability: > http://lists.roundcube.net/pipermail/dev/2013-March/022328.html > > Best regards, > Thomas > _______________________________________________ > Roundcube Development discussion mailing list > [email protected] > http://lists.roundcube.net/mailman/listinfo/dev > _______________________________________________ Roundcube Development discussion mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/dev
