Security fixes:
- Cross-Site Scripting (XSS) via malicious HTML content
- CSRF attack can cause an authenticated user to be logged out
- Remote code execution via crafted config options
- Path traversal vulnerability allowing local file inclusion via crafted
'plugins' option
The latter two vulnerabilities are classified minor because they only
affect Roundcube installations with public access to the Roundcube
installer. That’s generally a high-risk situation and is expected to be
rare or practically non-existent in productive Roundcube deployments.
However, the fixes are done in core in order to also prevent from future
and yet unknown attack vectors.
Changelog at https://github.com/roundcube/roundcubemail/releases/tag/1.4.4
"In Roundcube from versions 1.2.0 to 1.3.5, with the archive
plugin enabled and configured, it's possible to exploit the
unsanitized, user-controlled "_uid" parameter (in an archive.php
_task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform
an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a
sequence. NOTE: this is less easily exploitable in 1.3.4 and later
because of a Same Origin Policy protection mechanism."
https://github.com/roundcube/roundcubemail/releases/tag/1.3.6
"Apparently this zero-day exploit is already being used by hackers to
read Roundcube’s configuration files. It requires a valid
username/password as the exploit only works with a valid session. More
details will be published soon under CVE-2017-16651.
In order to check whether your Roundcube installation has been
compromised check the access logs for requests like
?_task=settings&_action=upload-display&_from=timezone
As mentioned above, the file disclosure only works for authenticated
users and by finding such requests in the logs you should also be able
to identify the account used for this unauthorized access. For
mitigation we recommend to change the all credentials to external
services like database or LDAP address books and preferably also the
'des_key' option in your config."
"The updates primarily fix a recently discovered vulnerability in the
virtualmin and sasl drivers of the password plugin (CVE-2017-8114).
More details about this vulnerability will be published soon by the
reporter. Security-wise the update is therefore only relevant for those
installations of Roundcube using the password plugin with either one of
these drivers."
imap connection.
PHP's STREAM_CRYPTO_METHOD_TLS_CLIENT is TLSv1.0 only "for BC with pre-5.6".
There's a STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT but it doesn't seem to actually
work, so use STREAM_CRYPTO_METHOD_SSLv23_CLIENT which (at least with libressl)
is TLS-only anyway.
Thanks PHP.
While there, add an explicit note to the README about the requirement to
disable suhosin session encryption now that we're using the extension in the
standard PHP packages.
