"In Roundcube from versions 1.2.0 to 1.3.5, with the archive
plugin enabled and configured, it's possible to exploit the
unsanitized, user-controlled "_uid" parameter (in an archive.php
_task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform
an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a
sequence. NOTE: this is less easily exploitable in 1.3.4 and later
because of a Same Origin Policy protection mechanism."
https://github.com/roundcube/roundcubemail/releases/tag/1.3.6
"Apparently this zero-day exploit is already being used by hackers to
read Roundcube’s configuration files. It requires a valid
username/password as the exploit only works with a valid session. More
details will be published soon under CVE-2017-16651.
In order to check whether your Roundcube installation has been
compromised check the access logs for requests like
?_task=settings&_action=upload-display&_from=timezone
As mentioned above, the file disclosure only works for authenticated
users and by finding such requests in the logs you should also be able
to identify the account used for this unauthorized access. For
mitigation we recommend to change the all credentials to external
services like database or LDAP address books and preferably also the
'des_key' option in your config."
"The updates primarily fix a recently discovered vulnerability in the
virtualmin and sasl drivers of the password plugin (CVE-2017-8114).
More details about this vulnerability will be published soon by the
reporter. Security-wise the update is therefore only relevant for those
installations of Roundcube using the password plugin with either one of
these drivers."
imap connection.
PHP's STREAM_CRYPTO_METHOD_TLS_CLIENT is TLSv1.0 only "for BC with pre-5.6".
There's a STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT but it doesn't seem to actually
work, so use STREAM_CRYPTO_METHOD_SSLv23_CLIENT which (at least with libressl)
is TLS-only anyway.
Thanks PHP.
While there, add an explicit note to the README about the requirement to
disable suhosin session encryption now that we're using the extension in the
standard PHP packages.
reporting E_DEPRECATED messages as there is a deprecation warning with Net_SMTP
that is unfixed upstream resulting in a lot of noise in roundcube's error log
for each sent message.
support for screen readers and more.
Note: IE7/8 no longer supported by default but can be added with the
"legacy_browser" plugin.
There is new experimental anti-CSRF code (per-session tokens in URLs making
it harder for an attacker to generate a valid URL), this is not enabled by
default (requires rewrite support from the web server), for more info see
http://trac.roundcube.net/wiki/Howto_Config/Secure_URLs
starting with "installer". Since I don't think this is possible with the
implementation for apache-httpd-openbsd just comment out the rule for now,
kirby@ agrees.
