Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Reported by star26bsd on 16 Sep 2011 06:42 UTC as Trac ticket #1488086
a user has an email in his inbox which has an amazon.de URL as subject only (see log message below, the server runs php 5.3.8 with latest suhosin, default config on latest apache on FreeBSD). When the user logs in to roundcube the 'loading' box is spinning forever. After disabling suhosin temporarily, the inbox can be displayed in roundcube properly.
The log files show:
Sep 15 21:05:03 <user.alert> srv3 suhosin: ALERT - Include filename ('http://www.amazon.de/Die-unglaubliche-Geschichte-Henry-Brown/dp/3499252899/ref=pd_bxgy_b_text_c.php') is an URL that is not allowed (attacker 'xx.xx.xx.x', file '/usr/local/www/roundcubemail-0.5.3/program/include/iniset.php', line 111)
This messages made me wonder why suhosin thinks there's an include going on. Line 111 of iniset.php shows:
It seems like roundcube wants to include what is displayed in the subject, which happens to be a url - and suhosin legitimately blocks this attempt.
In short, I can send an email to a user on a suhosin protected mail server and make his inbox unavailable. Needless to say, the user cannot delete this email himself via RoundCube. In my case, I had to delete the email file on the server to make roundcube show the inbox again.
I run Suhosin + RC for more than a year now without problems. However, I've upgraded to PHP 5.3.x recently, so I have reason to believe this effect is kinda related to new suhosin/PHP in combination with RC.
Comment by star26bsd on 16 Sep 2011 08:55 UTC
Thanks, Alec, this is fixing the issue. Your diff doesn't apply cleanly to 0.5.4 so I've "backported" it. I have not analysed the security implications of this issue but I'd favour an inclusion of this patch to the 0.5.x branch.
(for the test email, just send an email with the URL provided above in the subject line, no body.)
Comment by star26bsd on 16 Sep 2011 12:55 UTC
Some further tests show that without your patch, I am able to force the server to issue GET requests to any URL I provide in the subject line of an email. A user does not even have to click on this email, the GET request is issued directly after login to RoundCube. Of course, Suhosin must not be active for this attack and PHP 5.3.8 must be used. For instance, a subject line of
will result in a GET request of here.php issued to click.me by the server hosting RC:
This can be used to force requests to certain URLs. It can also be used to DoS RoundCube servers by requesting large amounts of data. However, within the time spent I was not able to dynamically inject code or make responses of the requests visible or usable in any way. However, I definitely recommend releasing a security/reliability patch.