Security Alert: RoundCubeMail
ATTENTION: All server administrators using RoundCubeMail as their MailServer interface.
ISSUE of RoundCubeMail:
We have found multiple vulnerabilities and corrected them in RoundCubeMail:
The login form
In Roundcube Webmail before 0.5.1 does not properly manage a correctly authenticated but unintended login attempt. Therefore, this makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to log in. To the attacker’s account and then compose an e-mail message, related to a login CSRF issue (CVE-2011-1491).
In Roundcube Webmail before 0.5.1, it does not properly verify that a request is an expected request for an external Cascading Style Sheet (CSS) stylesheet. CSS stylesheets enable remote authenticated users to trigger arbitrary outbound TCP connections from the server. Besides, it would possibly acquire sensitive data through a crafted request. (CVE-2011-1492).
Cross-site scripting (XSS)
In Roundcube Webmail, a vulnerability in UI messages before 0.5.4 allows remote attackers to inject arbitrary web scripts or HTML via the _mbox parameter to the default URI (CVE-2011-2937).
Include/iniset.php in Roundcube Webmail
In Roundcube Webmail 0.5.4 and earlier, when using PHP 5.3.7 or 5.3.8, remote attackers can trigger a GET request for an arbitrary URL. This causes a denial of service (resource consumption and inbox interruption) via a subject header containing only one URL, a related issue to CVE-2011-3379 (CVE-2011-4078).
RESOLUTION To RoundCubeMail Issue:
Upgrade the RoundCube Webmail to version 0.7.2