Welcome,
Guest
. Please
login
or
register
.
Did you miss your
activation email
?
1 Hour
1 Day
1 Week
1 Month
Forever
Login with username, password and session length
Home
Help
Search
Login
Register
Roundcube Community Forum
»
News and Announcements
»
General Discussion
»
Possible security concern?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Possible security concern? (Read 4683 times)
dre2004
Newbie
Posts: 4
Possible security concern?
«
on:
February 11, 2008, 07:58:01 AM »
Hi All,
I've been playing with Round Cube for a few weeks and I find it great. I was in the process of looking at hacking an addon when this came to me. All the include files (other than the ones in config/*) are plain text files which by default don't get parsed by the web server as PHP.
So if you were to go to
http://
domain name here>/program/include/main.inc you will see the source code of the main.inc
Now in order to fix this a few things can be done:
1) Configure your webserver to tread *.inc files as php (could possibly break some other sites?)
2) Rename all the files to *.inc.php and then change all references in the code to use these new names.
It would be interesting to know how many people are actually running round cube and haven't thought of this.
Cheers,
A
Logged
dre2004
Newbie
Posts: 4
Re: Possible security concern?
«
Reply #1 on:
February 11, 2008, 08:09:52 AM »
I've done a quick search with google and there are quite a few sites out there with this issue.
Logged
happy
Newbie
Posts: 4
Re: Possible security concern?
«
Reply #2 on:
February 11, 2008, 10:52:12 AM »
If you are using Apache, it will be an easy fix.
Order allow,deny
Deny from all
Logged
seansan
Jr. Member
Posts: 84
Re: Possible security concern?
«
Reply #3 on:
February 11, 2008, 12:28:36 PM »
in RC2 this is available. or at least in the coming release
http://trac.roundcube.net/browser/trunk/roundcubemail/.htaccess
What version are you using?
Logged
dre2004
Newbie
Posts: 4
Re: Possible security concern?
«
Reply #4 on:
February 11, 2008, 03:54:06 PM »
I'm using RC1 still. I will try the suggested apache fixes.
Logged
dre2004
Newbie
Posts: 4
Re: Possible security concern?
«
Reply #5 on:
February 11, 2008, 07:26:39 PM »
The FilesMatch directive has done the trick. Is this issue addressed in RC2?
Logged
xyanide
Jr. Member
Posts: 41
Re: Possible security concern?
«
Reply #6 on:
February 12, 2008, 10:20:32 AM »
This has been added in Roundcube RC2
("Forbidden
You don't have permission to access /program/include/main.inc on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.")
Logged
evilbunny
Jr. Member
Posts: 13
Re: Possible security concern?
«
Reply #7 on:
February 13, 2008, 03:42:34 AM »
For what it's worth the debian or ubuntu packages at the very least for lighttpd block direct access to .inc files by default. Although it might be a lighttpd default.
Logged
Print
Pages: [
1
]
« previous
next »
Roundcube Community Forum
»
News and Announcements
»
General Discussion
»
Possible security concern?