Roundcube 1.2.2 – Remote Code Execution Vulnerability

by CIRT Team

Description:

In Roundcube 1.2.2 and earlier, user-controlled input flows unsanitized into the fifth argument of a call to PHP’s built-in function mail() which is documented as security critical. The problem is that the invocation of the mail() function will cause PHP to execute the sendmail program. The fifth argument allows to pass arguments to this execution which allows a configuration of sendmail. Since sendmail offers the –X option to log all mail traffic in a file, an attacker can abuse this option and spawn a malicious PHP file in the webroot directory of the attacked server.

Impact: A malicious user can remotely execute arbitrary commands on the underlying operating system simply by writing an email in Roundcube 1.2.2 (>= 1.0).

Mitigation: Vendor has released patch version.

Reference URL’s:

• https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
• https://roundcube.net/news/2016/09/28/updates-1.2.2-and-1.1.6-published

CIRT Team

Recommended Posts

Active Exploitation of Critical F5 BIG – IP Vulnerability (CVE–2023-46747) Uncovered in Bangladesh

06 Nov 2024 - Security Advisories & Alerts

Emerging Threat_Stealer Malware (Lumma C2) Campaign with fake CAPTCHA pages

08 Oct 2024 - Security Advisories & Alerts

Detection of Fog Ransomware Footprint in Cyber Space of Bangladesh

12 Sep 2024 - Security Advisories & Alerts