Reported by @alecpl on 17 Oct 2013 08:14 UTC as Trac ticket #1489382
It is possible to overwrite any variable in $_SESSION. This gives an attacker a lot of possibilities.
Comment by @alecpl on 17 Oct 2013 08:26 UTC
Fixed in 70c7df8 and backported to all release branches down to 0.7.
Status changed by @alecpl on 17 Oct 2013 08:26 UTC
new => closed
Comment by @thomascube on 20 Feb 2014 14:04 UTC
CVE number for this is: CVE-2013-6172
The update notification with links to patches can be found here: http://roundcube.net/news/2013/10/21/security-updates-095-and-087/
CVE-2013-6172. steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code.
Help me! find function contain vulnerbility "read arbitrary files" ?.
We don't really support these old versions. Here's the commit: 70c7df8.