Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Vulnerability in handling _session argument of utils/save-prefs action #4362

rcubetrac opened this Issue Oct 17, 2013 · 5 comments


None yet
3 participants

Reported by @alecpl on 17 Oct 2013 08:14 UTC as Trac ticket #1489382

It is possible to overwrite any variable in $_SESSION. This gives an attacker a lot of possibilities.

Migrated-From: http://trac.roundcube.net/ticket/1489382

Comment by @alecpl on 17 Oct 2013 08:26 UTC

Fixed in 70c7df8 and backported to all release branches down to 0.7.

Status changed by @alecpl on 17 Oct 2013 08:26 UTC

new => closed

@rcubetrac rcubetrac closed this Oct 17, 2013

Comment by @thomascube on 20 Feb 2014 14:04 UTC

CVE number for this is: CVE-2013-6172

The update notification with links to patches can be found here: http://roundcube.net/news/2013/10/21/security-updates-095-and-087/

@rcubetrac rcubetrac added this to the 0.9.5 milestone Mar 20, 2016

HaToan commented Apr 7, 2017 edited

CVE-2013-6172. steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code.
Help me! find function contain vulnerbility "read arbitrary files" ?.
Thank you.


alecpl commented Apr 7, 2017

We don't really support these old versions. Here's the commit: 70c7df8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment