Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability in handling _session argument of utils/save-prefs action #4362

Closed
rcubetrac opened this issue Oct 17, 2013 · 5 comments
Closed

Vulnerability in handling _session argument of utils/save-prefs action #4362

rcubetrac opened this issue Oct 17, 2013 · 5 comments
Assignees
Labels
Milestone

Comments

@rcubetrac
Copy link

@rcubetrac rcubetrac commented Oct 17, 2013

Reported by @alecpl on 17 Oct 2013 08:14 UTC as Trac ticket #1489382

It is possible to overwrite any variable in $_SESSION. This gives an attacker a lot of possibilities.

Migrated-From: http://trac.roundcube.net/ticket/1489382

@rcubetrac
Copy link
Author

@rcubetrac rcubetrac commented Oct 17, 2013

Comment by @alecpl on 17 Oct 2013 08:26 UTC

Fixed in 70c7df8 and backported to all release branches down to 0.7.

@rcubetrac
Copy link
Author

@rcubetrac rcubetrac commented Oct 17, 2013

Status changed by @alecpl on 17 Oct 2013 08:26 UTC

new => closed

@rcubetrac rcubetrac closed this Oct 17, 2013
@rcubetrac
Copy link
Author

@rcubetrac rcubetrac commented Feb 20, 2014

Comment by @thomascube on 20 Feb 2014 14:04 UTC

CVE number for this is: CVE-2013-6172

The update notification with links to patches can be found here: http://roundcube.net/news/2013/10/21/security-updates-095-and-087/

@rcubetrac rcubetrac added this to the 0.9.5 milestone Mar 20, 2016
@HaToan
Copy link

@HaToan HaToan commented Apr 7, 2017

CVE-2013-6172. steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code.
Help me! find function contain vulnerbility "read arbitrary files" ?.
Thank you.

@alecpl
Copy link
Member

@alecpl alecpl commented Apr 7, 2017

We don't really support these old versions. Here's the commit: 70c7df8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.