Vulnerability in handling _session argument of utils/save-prefs action #4362

rcubetrac opened this Issue Oct 17, 2013 · 5 comments


None yet
3 participants

Reported by @alecpl on 17 Oct 2013 08:14 UTC as Trac ticket #1489382

It is possible to overwrite any variable in $_SESSION. This gives an attacker a lot of possibilities.


Comment by @alecpl on 17 Oct 2013 08:26 UTC

Fixed in 70c7df8 and backported to all release branches down to 0.7.

Status changed by @alecpl on 17 Oct 2013 08:26 UTC

new => closed

rcubetrac closed this Oct 17, 2013

Comment by @thomascube on 20 Feb 2014 14:04 UTC

CVE number for this is: CVE-2013-6172

The update notification with links to patches can be found here:

alecpl was assigned by rcubetrac Mar 20, 2016

rcubetrac added this to the 0.9.5 milestone Mar 20, 2016

HaToan commented Apr 7, 2017 edited

CVE-2013-6172. steps/utils/ in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code.
Help me! find function contain vulnerbility "read arbitrary files" ?.
Thank you.


alecpl commented Apr 7, 2017

We don't really support these old versions. Here's the commit: 70c7df8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment