Webmailer Roundcube: Critical vulnerabilities allow file manipulation and more
Attackers could write arbitrary files to the web server, inject script code, and bypass content filters.
(Image: Pavel Ignatov / Shutterstock.com)
The webmail system Roundcube had several, partly critical, security vulnerabilities. The development team has fixed them and now released the fifth and "hopefully last" candidate for version 1.7. Older versions also receive patches for the vulnerabilities.
The most dangerous vulnerability likely lies in the session management using Redis/memcache – it allows attackers to write arbitrary files to the web server without prior authentication. Also problematic: Another vulnerability allowed in some cases to change a Roundcube user's password without knowing their old password. CVE identifiers do not yet exist for any of the vulnerabilities.
Furthermore, the Roundcube developers fixed various ways to bypass content filters, specifically the blocking of images in the email display. An IMAP injection, cross-site scripting, and SSRF were also found and reported by independent security researchers.
Videos by heise
Updates have been released
Bug-fix releases for the three currently maintained Roundcube versions have been released:
- Roundcube 1.7rc5,
- Roundcube 1.6.14 and
- Roundcube 1.5.14
Download links and some brief information about the individual security vulnerabilities can be found on the release announcement on Github. The webmailer developers strongly recommend all admins to update their webmailers to the latest version. Exploits for Roundcube security vulnerabilities had caused a warning from the US cybersecurity agency CISA only at the end of February.
(cku)
