Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permissions issue with enigma plugin allows exfiltration of secret gpg key file #6173

Closed
exploitagency opened this issue Feb 12, 2018 · 6 comments
Closed

Permissions issue with enigma plugin allows exfiltration of secret gpg key file #6173

exploitagency opened this issue Feb 12, 2018 · 6 comments
Labels
C: Encryption C: Plugins enhancement
Milestone
1.4-beta

Comments

@exploitagency
Copy link

exploitagency commented Feb 12, 2018
edited

Although this not exactly access to the secret key since it is password protected you still have to crack it.

See my reference here.

https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt
@exploitagency exploitagency changed the title Permissions Issue with enigma plugin? Permissions issue with enigma plugin allows exfiltration of secret gpg key Feb 12, 2018
@alecpl
Copy link
Member

alecpl commented Feb 12, 2018

I'm not sure what we could do here. Securing that directory is the same as securing the temp_dir of Roundcube. There's .htaccess file. It's also not writable by default so users have to set permissions (or the folder location) by their own.

We could only add additional warning in README and sample config.

@exploitagency exploitagency changed the title Permissions issue with enigma plugin allows exfiltration of secret gpg key Permissions issue with enigma plugin allows exfiltration of secret gpg key file Feb 12, 2018
@exploitagency
Copy link
Author

exploitagency commented Feb 12, 2018
edited

I suppose using a strong password is in order and keep outside of the web folders like www.

@thomascube
Copy link
Member

The best way is to move it out of the webserver's document root tree and configure the location with $config['enigma_pgp_homedir']. Maybe we should enforce people to deliberately chose a location and always configure the homedir by removing the default of having it inside the plugins directory which by definition has to be accessible by the webserver.

@exploitagency
Copy link
Author

exploitagency commented Feb 14, 2018
edited

The problem is nginx doesn't use the .htaccess files provided and all of these automated install scripts use nginx as the web server.

Reference https://bitbucket.org/zhb/iredmail/issues/130/multiple-security-issues-with-default

@alecpl alecpl added this to the 1.4-beta milestone Feb 15, 2018
alecpl added a commit that referenced this issue Mar 4, 2018
@alecpl
Remove default for enigma_pgp_homedir (#6173)
48417c5 
To make the default installation more secure force users to set the folder.
Added notes that it should be secured or not accessible from the web browser.
@alecpl
Copy link
Member

alecpl commented Mar 4, 2018

Fixed by adding some notes to README and removing default value for enigma_pgp_homedir.

@alecpl alecpl closed this as completed Mar 4, 2018
@exploitagency
Copy link
Author

👍 Thanks

@jowi24 jowi24 mentioned this issue Nov 21, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: Encryption C: Plugins enhancement
Projects
None yet
Milestone
1.4-beta
Development

No branches or pull requests
3 participants
@alecpl @thomascube @exploitagency