oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: roundcube code execution via mail()

From: <cve-assign () mitre org>
Date: Thu, 8 Dec 2016 13:57:19 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-released
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/



https://github.com/roundcube/roundcubemail/commit/aa6bf38843f51a0fc7205acc98a7b84f3c4c9c4f
https://github.com/roundcube/roundcubemail/commit/45a3e81653eb6ad3685d1a9ab817a61df78178eb



highly critical because all default installations are affected



When an email is sent with Roundcube, the HTTP request can be
intercepted and altered. Here, the _from parameter can be modified in
order to place a malicious PHP file on the file system.


Use CVE-2016-9920.



a logical flaw in the application that causes the sanitization to fail



the $from parameter is expected to have no whitespaces



preg_match('/(\S+@\S+)/',



another regular expression in line 863 which requires that the line
ends ($) right after the email match. A payload used by an attacker
does not have to match this regex


We do not feel that this regex discussion requires a second CVE. The
essence of the CVE-2016-9920 issue is that sendmail.inc detects
certain invalid envelope-from fields but does not do anything (such as
executing $from = null) about them.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYSayXAAoJEHb/MwWLVhi2nvYP/jiR1J75kiydrXhB8Wr7amTP
UMqG290QFlhfz+6kCVEtIe6G7gPLPbLiOFWLC/G3lFHCqeAW7jkYf+pqXurOcruM
5FcasVgBG0rWXQrcJV1Do/ZVz2ECmTnMohKXaYTxSy72V4Nqf+E75T63sksOyb8D
daaECedrpTtn1LXk/xPOYRzvCytWIqHax4Ak8aGWXKv5hh/jTqV6LiPVO3EJhM7F
5CxCBGW0ApABWmxMdJcAoDKRnROnSedNyDoMpHVMiOiQzAJypivfcCk00kHeXJzi
Ny87XnyeO4SsXHgB1eHMpLMNwLpZ7N88hLE8QLh/Eigh1KJlaIIBxGbK7/IgHj1o
RDnWWHELPBou38Neo/tAuR/8I+z32mGnjDSwbuG0WlUta5toksf2g54c+GPwR615
6iSwV4PaEwFygYiTkawIidiaVJ3BvL2AhsFtZs159xcwX7AjbG7+kCpv+KixacHx
1ecpbI8TDCGLLN0DAX7JWwX/BM4XGc56SNG4Bbvfv5GKfNGRecupEse+NT7BOIzu
odmcrxh4XDuxgeaP8lbbbSUgyJA1W3AtcZrL/8uUeD5Xd1OMbrcc8IIoXITPewJv
4RXcJDEO2MF7+ghtMSwU5yjyZP3TioDr1aBSpx91LdyGDmhm8S25g01jdmyJFVIz
bMXdDvcTXsOE5vepGh0h
=q5Jb
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: