A nasty bug in Roundcube webmail that let an attacker crash it remotely has been patched under version 1.2.3. Developers behind Roundcube has asked sysadmins to push a patch to users.
Attacking Roundcube by leveraging this vulnerability is a piece of cake. Attackers can simply compose an email with malicious code to attack the open source webmail package. The malicious PHP file can populate the code that is automatically inserted into email’s subject line.
The prime reason behind the vulnerability is the simple functional structure of Roundcube webmail. The program takes inputs from the Roundcube UI and passes it on to mail () and sendmail function in PHP.
Also, the user input and fifth argument is not sanitised, which opens a possibility of executing sendmail with -X option to log mail traffic, which can be abused with the malicious file. This file can be pushed into target server’s webroot directory. Further, HTTP request sent to the server can be used to insert a malicious PHP file.
The Roundcube team has published the patch on its GitHub page. The easiest way to fix the vulnerability at the server end is to download and install the Roundcube webmail version 1.2.3 from the official website. Roundcube installations that are not SMTP server-configured for mail delivery need to download the version 1.1.7.