New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
check_request() bypass in archive plugin #6238
Comments
CVE-2018-9846 was assigned for this issue. |
Hello, guys. Could you comment on the current status of this issue? Are there any known cases of usages of this vulnerability? The thing is that a few days ago a lot of servers was hacked with the Vesta control panel, and several hosting providers said that the current working directory of virus was |
honestly I don't think they are related @StudioMaX |
I also think this is another issue. Fixed. |
Any reason this landed only in 1.3 and not 1.2? What's the state of the 1.2 branch? Does it still get security updates? |
@dol The reason is: we're understaffed but an update will follow soon. See http://lists.roundcube.net/pipermail/users/2018-April/011935.html |
@thomascube Thank you for pointing this out. No problem. We will wait. Thank you for the work. |
As explained in my last comment on #6229 (which I'm going to quote):
I tested this on roundcube 1.2.0 and a simple
?_task=mail&_mbox=INBOX&_action=plugin.move2archive&_uid=255%20BODY[HEADER]%0d%0aA0006%20CREATE%20%22hacked5%22%0d%0aA0007%20UID%20FETCH%20255
works flawless.On more recent versions like 1.3.4-5 SOP kick-in but if it's somehow respected or bypassed then the same exploit works (will return a File not Found template, nonetheless code'll be executed).
PS: I'd like to publish an advisory on packetstorm about the whole thing, are you going to push out 1.3.6 anytime soon? It's okay for you if I go public prior to 1.3.6?
The text was updated successfully, but these errors were encountered: