A critical vulnerability in the Roundcube webmail application could allow an attacker to install and execute arbitrary code. Users of versions of Roundcube prior to 1.2.3 should update immediately to remove the risk. All versions from 1.0 to 1.2.2 are vulnerable. The vulnerability was patched immediately upon its disclosure, and the patched version is available from the Roundcube site and Linux distribution repositories.
Roundcube is an immensely popular webmail client used by web hosting providers, business email providers, and individual users. Its development community takes security seriously, which is a major reason Roundcube is trusted by so many organizations. But a coding error in the way Roundcube interfaces with PHP’s mail sending function opens a door that has the potential to allow an attacker to execute their own PHP code on a server.
For a malicious user to take advantage of this vulnerability, they must have an account on the server. The vulnerability is exploited by sending an email, so an outside attacker can’t take advantage here without stealing email credentials, but that leaves plenty of scope for user mischief.
In addition to requiring a user account, there are a few other conditions that need to obtain before the vulnerability can be exploited. The attacker has to know, or be able to guess, the absolute path of the server’s web root. Depending on how the server is configured, this may be quite difficult, but in many cases a knowledgeable and persistent attacker will be able to work it out.
Additionally, Roundcube must be configured to use PHP’s mail() function. If an SMTP server is configured, the mail() function won’t be used. The mail() function must also be configured to use the sendmail application and PHP’s safe mode must be turned off.
That may seem like quite a set of hurdles for an attacker to traverse, but unfortunately most are the default settings for Roundcube. It’s likely that many thousands of Roundcube installations are vulnerable to exploitation.
The ultimate cause of the vulnerability is a failure to properly sanitize input to the fifth parameter of PHP’s mail() function. The fifth parameter takes additional execution parameters, including sendmail configuration options. Sendmail has an option to log all mail traffic to a file, and the lack of sanitization of the mail() function parameter allows an attacker to specify where those files are stored.
So, bringing all that together: an attacker with a user account can send an email containing malicious code and have that code stored in the webroot of the server.
The vulnerability was discovered by the developers of RIPS, a PHP vulnerability scanning application. In general the RIPS’ developers are complementary of Roundcube’s security. Apart from the critical vulnerability we’ve been discussing, it’s a solid application that takes security seriously.