oss-sec mailing list archives
Re: roundcube code execution via mail()
From: <cve-assign () mitre org>
Date: Thu, 8 Dec 2016 13:57:19 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-released https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
https://github.com/roundcube/roundcubemail/commit/aa6bf38843f51a0fc7205acc98a7b84f3c4c9c4f https://github.com/roundcube/roundcubemail/commit/45a3e81653eb6ad3685d1a9ab817a61df78178eb
highly critical because all default installations are affected
When an email is sent with Roundcube, the HTTP request can be intercepted and altered. Here, the _from parameter can be modified in order to place a malicious PHP file on the file system.
Use CVE-2016-9920.
a logical flaw in the application that causes the sanitization to fail
the $from parameter is expected to have no whitespaces
preg_match('/(\S+@\S+)/',
another regular expression in line 863 which requires that the line ends ($) right after the email match. A payload used by an attacker does not have to match this regex
We do not feel that this regex discussion requires a second CVE. The essence of the CVE-2016-9920 issue is that sendmail.inc detects certain invalid envelope-from fields but does not do anything (such as executing $from = null) about them. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYSayXAAoJEHb/MwWLVhi2nvYP/jiR1J75kiydrXhB8Wr7amTP UMqG290QFlhfz+6kCVEtIe6G7gPLPbLiOFWLC/G3lFHCqeAW7jkYf+pqXurOcruM 5FcasVgBG0rWXQrcJV1Do/ZVz2ECmTnMohKXaYTxSy72V4Nqf+E75T63sksOyb8D daaECedrpTtn1LXk/xPOYRzvCytWIqHax4Ak8aGWXKv5hh/jTqV6LiPVO3EJhM7F 5CxCBGW0ApABWmxMdJcAoDKRnROnSedNyDoMpHVMiOiQzAJypivfcCk00kHeXJzi Ny87XnyeO4SsXHgB1eHMpLMNwLpZ7N88hLE8QLh/Eigh1KJlaIIBxGbK7/IgHj1o RDnWWHELPBou38Neo/tAuR/8I+z32mGnjDSwbuG0WlUta5toksf2g54c+GPwR615 6iSwV4PaEwFygYiTkawIidiaVJ3BvL2AhsFtZs159xcwX7AjbG7+kCpv+KixacHx 1ecpbI8TDCGLLN0DAX7JWwX/BM4XGc56SNG4Bbvfv5GKfNGRecupEse+NT7BOIzu odmcrxh4XDuxgeaP8lbbbSUgyJA1W3AtcZrL/8uUeD5Xd1OMbrcc8IIoXITPewJv 4RXcJDEO2MF7+ghtMSwU5yjyZP3TioDr1aBSpx91LdyGDmhm8S25g01jdmyJFVIz bMXdDvcTXsOE5vepGh0h =q5Jb -----END PGP SIGNATURE-----
Current thread:
- roundcube code execution via mail() Hanno Böck (Dec 08)
- Re: roundcube code execution via mail() cve-assign (Dec 08)