Possible security concern?

[dre2004]

Hi All,

I've been playing with Round Cube for a few weeks and I find it great. I was in the process of looking at hacking an addon when this came to me. All the include files (other than the ones in config/*) are plain text files which by default don't get parsed by the web server as PHP.

So if you were to go to http:// domain name here>/program/include/main.inc you will see the source code of the main.inc

Now in order to fix this a few things can be done:

1) Configure your webserver to tread *.inc files as php (could possibly break some other sites?)
2) Rename all the files to *.inc.php and then change all references in the code to use these new names.

It would be interesting to know how many people are actually running round cube and haven't thought of this.

Cheers,
A

[dre2004]

I've done a quick search with google and there are quite a few sites out there with this issue.

[happy]

If you are using Apache, it will be an easy fix.


    Order allow,deny
    Deny from all

[seansan]

 in RC2 this is available. or at least in the coming release

http://trac.roundcube.net/browser/trunk/roundcubemail/.htaccess

What version are you using?

[dre2004]

I'm using RC1 still. I will try the suggested apache fixes.

[dre2004]

The FilesMatch directive has done the trick. Is this issue addressed in RC2?

[xyanide]

This has been added in Roundcube RC2

("Forbidden
You don't have permission to access /program/include/main.inc on this server.


Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.")

[evilbunny]

For what it's worth the debian or ubuntu packages at the very least for lighttpd block direct access to .inc files by default. Although it might be a lighttpd default.