Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability in handling _session argument of utils/save-prefs action #4362

Closed
rcubetrac opened this issue Oct 17, 2013 · 5 comments

Comments

@rcubetrac
Copy link

commented Oct 17, 2013

Reported by @alecpl on 17 Oct 2013 08:14 UTC as Trac ticket #1489382

It is possible to overwrite any variable in $_SESSION. This gives an attacker a lot of possibilities.

Migrated-From: http://trac.roundcube.net/ticket/1489382

@rcubetrac

This comment has been minimized.

Copy link
Author

commented Oct 17, 2013

Comment by @alecpl on 17 Oct 2013 08:26 UTC

Fixed in 70c7df8 and backported to all release branches down to 0.7.

@rcubetrac

This comment has been minimized.

Copy link
Author

commented Oct 17, 2013

Status changed by @alecpl on 17 Oct 2013 08:26 UTC

new => closed

@rcubetrac rcubetrac closed this Oct 17, 2013
@rcubetrac

This comment has been minimized.

Copy link
Author

commented Feb 20, 2014

Comment by @thomascube on 20 Feb 2014 14:04 UTC

CVE number for this is: CVE-2013-6172

The update notification with links to patches can be found here: http://roundcube.net/news/2013/10/21/security-updates-095-and-087/

@rcubetrac rcubetrac added this to the 0.9.5 milestone Mar 20, 2016
@HaToan

This comment has been minimized.

Copy link

commented Apr 7, 2017

CVE-2013-6172. steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code.
Help me! find function contain vulnerbility "read arbitrary files" ?.
Thank you.

@alecpl

This comment has been minimized.

Copy link
Member

commented Apr 7, 2017

We don't really support these old versions. Here's the commit: 70c7df8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.