Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

RC can be DoS'ed by sending specific email #3505

Closed
rcubetrac opened this Issue Sep 16, 2011 · 6 comments

Comments

Projects
None yet
1 participant

Reported by star26bsd on 16 Sep 2011 06:42 UTC as Trac ticket #1488086

Hi,

a user has an email in his inbox which has an amazon.de URL as subject only (see log message below, the server runs php 5.3.8 with latest suhosin, default config on latest apache on FreeBSD). When the user logs in to roundcube the 'loading' box is spinning forever. After disabling suhosin temporarily, the inbox can be displayed in roundcube properly.

The log files show:

Sep 15 21:05:03 <user.alert> srv3 suhosin[61727]: ALERT - Include filename ('http://www.amazon.de/Die-unglaubliche-Geschichte-Henry-Brown/dp/3499252899/ref=pd_bxgy_b_text_c.php') is an URL that is not allowed (attacker 'xx.xx.xx.x', file '/usr/local/www/roundcubemail-0.5.3/program/include/iniset.php', line 111)

This messages made me wonder why suhosin thinks there's an include going on. Line 111 of iniset.php shows:

    include_once("$filename.php");

It seems like roundcube wants to include what is displayed in the subject, which happens to be a url - and suhosin legitimately blocks this attempt.

In short, I can send an email to a user on a suhosin protected mail server and make his inbox unavailable. Needless to say, the user cannot delete this email himself via RoundCube. In my case, I had to delete the email file on the server to make roundcube show the inbox again.

I run Suhosin + RC for more than a year now without problems. However, I've upgraded to PHP 5.3.x recently, so I have reason to believe this effect is kinda related to new suhosin/PHP in combination with RC.

Thanks,
Stephan

Migrated-From: http://trac.roundcube.net/ticket/1488086

Comment by @alecpl on 16 Sep 2011 07:37 UTC

This is because of this https://bugs.php.net/bug.php?id=55475. We need to modify is_a() usage in PEAR packages. Please, provide also a sample message. So, I'll try to reproduce and find out if it isn't a bug in Roundcube code.

Milestone changed by @alecpl on 16 Sep 2011 07:37 UTC

later => 0.6-stable

Comment by @alecpl on 16 Sep 2011 08:08 UTC

8c124b9 and other commit before, should fix the issue. I'm unable to reproduce the issue. Reopen with complete test case if it doesn't work for you (use svn-trunk version).

Status changed by @alecpl on 16 Sep 2011 08:08 UTC

new => closed

@rcubetrac rcubetrac closed this Sep 16, 2011

Comment by star26bsd on 16 Sep 2011 08:55 UTC

Thanks, Alec, this is fixing the issue. Your diff doesn't apply cleanly to 0.5.4 so I've "backported" it. I have not analysed the security implications of this issue but I'd favour an inclusion of this patch to the 0.5.x branch.

(for the test email, just send an email with the URL provided above in the subject line, no body.)

Index: trunk/roundcubemail/program/lib/MDB2/Driver/Datatype/Common.php
===================================================================
--- roundcubemail/program/lib/MDB2/Driver/Datatype/Common.php   (revision 3227)
+++ roundcubemail/program/lib/MDB2/Driver/Datatype/Common.php   (revision 5222)
@@ -1380,5 +1380,5 @@
                 return $db;
             }
-            if (isset($db->function) && is_a($db->function, 'MDB2_Driver_Function_Common')) {
+            if (isset($db->function) && is_object($db->function) && is_a($db->function, 'MDB2_Driver_Function_Common')) {
                 return $db->function->now('date');
             }
@@ -1409,5 +1409,5 @@
                 return $db;
             }
-            if (isset($db->function) && is_a($db->function, 'MDB2_Driver_Function_Common')) {
+            if (isset($db->function) && is_object($db->function) && is_a($db->function, 'MDB2_Driver_Function_Common')) {
                 return $db->function->now('timestamp');
             }
@@ -1438,5 +1438,5 @@
                 return $db;
             }
-            if (isset($db->function) && is_a($db->function, 'MDB2_Driver_Function_Common')) {
+            if (isset($db->function) && is_object($db->function) && is_a($db->function, 'MDB2_Driver_Function_Common')) {
                 return $db->function->now('time');
             }
Index: trunk/roundcubemail/program/lib/PEAR.php
===================================================================
--- roundcubemail/program/lib/PEAR.php  (revision 3073)
+++ trunk/roundcubemail/program/lib/PEAR.php    (revision 5222)
@@ -266,5 +266,5 @@
     function isError($data, $code = null)
     {
-        if (!is_a($data, 'PEAR_Error')) {
+        if (!is_object($data) || !is_a($data, 'PEAR_Error')) {
             return false;
         }
Index: trunk/roundcubemail/program/steps/mail/func.inc
===================================================================
--- roundcubemail/program/steps/mail/func.inc 2011-06-02 14:36:32.000000000 +0200
+++ roundcubemail/program/steps/mail/func.inc 2011-09-16 10:46:14.000000000 +0200
@@ -1591,7 +1591,7 @@
 {
   global $RCMAIL, $IMAP;

-  if (!is_a($message, rcube_message))
+  if (!is_object($message) || !is_a($message, 'rcube_message'))
     $message = new rcube_message($message);

   if ($message->headers->mdn_to && !$message->headers->mdn_sent &&



Comment by star26bsd on 16 Sep 2011 12:55 UTC

Some further tests show that without your patch, I am able to force the server to issue GET requests to any URL I provide in the subject line of an email. A user does not even have to click on this email, the GET request is issued directly after login to RoundCube. Of course, Suhosin must not be active for this attack and PHP 5.3.8 must be used. For instance, a subject line of

http://click.me/here

will result in a GET request of here.php issued to click.me by the server hosting RC:

srv3.xxx.xx - - [+0200](16/Sep/2011:14:10:01) "GET /here.php HTTP/1.0" 404 3959 "-" "-"

This can be used to force requests to certain URLs. It can also be used to DoS RoundCube servers by requesting large amounts of data. However, within the time spent I was not able to dynamically inject code or make responses of the requests visible or usable in any way. However, I definitely recommend releasing a security/reliability patch.

Thanks,
Stephan A. Rickauer,
Compass Security AG,
http://www.csnc.ch

@rcubetrac rcubetrac added this to the 0.6-stable milestone Mar 20, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment