Poss vulnerability

[stonesurfer]

Hi and thanks for a really great webmail package

I've had version 0.1-stable running for quite a while with pleasing results.

Whilst perusing my web error logs on several servers that dont have it installed, I have noticed there seems to be some activity related to a roundcube file.

[09/Jan/2009:02:27:26 +0000] "GET /roundcube/bin/msgimport HTTP/1.1" 404 299 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"


I'm afraid I dont have any more information than to say that error logs for all my domains are plastered with this. Its only started to occur very recently so somebody out there's noted some kind of vuln...

I further see there's an update to 0.2-stable dated 30DEC08.

My question is, to which version could this vulnerability be related? Is it something in 0.1 thats addressed in 0.2, or is there possibly something in 0.2 that people are attempting to take advantage of.

Kindest regards and cheers for great webmail package

SS

[dpecile]

You must upgrade ASAP or remove Roundcube, exist from some days an exploit that run a file names wcube in /tmp.

Good luck.

Demian

4 hours working today translating Roundcube, and fixing my own pass change.

[stonesurfer]

Thanks Demian Ive upgraded.

I wondered if it was known exploit that 0.2-stable addressed or whether it was something new. Guess I'm late to the party! Its not a production server it runs on anyway - just one of my test boxes, hence my ignorance in keeping on top of security alerts.

I really do like the RC interface, all kudos to the team!

My /tmp is mounted with noexec,nosuid,nodev flags so its possible that renders this particular exploit harmless, but wouldn't like to bet on it!

Thanks for taking the time to reply!

stonesurfer

[ABerglund]

I wondered if it was known exploit that 0.2-stable addressed or whether it was something new.

This was patched late in the 0.2-beta run.