Author Topic: RoundCube News: Security update for 0.2-beta  (Read 8891 times)

Offline bpat1434

  • Administrator
  • Hero Member
  • *****
  • Posts: 673
RoundCube News: Security update for 0.2-beta
« on: December 16, 2008, 01:06:03 PM »
There were two security issues reported which are now fixed. The first was as possible code injection using the html2text conversion script. The other exploit used the unchecked size parameters of the quota image to let PHP create huge images eating up all the server memory.  (0 comments)

More...
 
  

Offline lvanderree

  • Newbie
  • *
  • Posts: 1
Ubuntu 8.10 server hacked, probably because of this
« Reply #1 on: January 14, 2009, 05:54:37 PM »
I have a ubuntu server (8.10) with roundcube 0.1.1 (default package from ubuntu 8.10)

and I can provide the following logs:


apache access log:
62.193.202.XX - - [12/Jan/2009:21:48:13 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 759 "-" "-"
62.193.202.XX - - [12/Jan/2009:21:48:27 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 180 "-" "-"
(these are the only two actions performed as can be found in my apache-log)

in my syslog I can see:
Jan 12 21:48:29 fun4me crontab[10065]: (www-data) REPLACE (www-data)
Jan 12 21:48:29 fun4me crontab[10066]: (www-data) LIST (www-data)

crontab -u www-data -l   gives me:
* * * * * /var/tmp/.ICE-unix/.../.tmp/data/mysqld-lock >/dev/null 2>&1

and ls -l /var/tmp/.ICE-unix/.../.tmp/data/ gives me:
-rw-r--r-- 1 www-data www-data      71 2009-01-12 21:48 cron.d
drwxr-xr-x 2 www-data www-data    4096 2009-01-12 21:48 home
-rwxr-xr-x 1 www-data www-data 1063697 2008-01-20 16:42 mysqld
-rw-r--r-- 1 www-data www-data      33 2009-01-12 21:48 mysqld.dir
-rwxr-xr-x 1 www-data www-data     178 2008-01-20 16:42 mysqld-exec
-rwxr-xr-x 1 www-data www-data     359 2008-01-20 16:42 mysqld-install
-rwxr--r-- 1 www-data www-data     244 2009-01-12 21:48 mysqld-lock
-rw-rw-rw- 1 www-data www-data       6 2009-01-12 21:48 mysqld.pid
-rwxr-xr-x 1 www-data www-data   21516 2008-01-20 16:42 xh

xh gets detected as HackTool.Linux.ProcHider.a Viruslist.com - HackTool.Linux.ProcHider.a
I guess mysqld is a virus as well, but it does not get detected (yet)

I will try to add this exploit to launchpad as well (if possible)

I already found out it was a spam-bot that got inserted in my system

Offline cr3pt

  • Newbie
  • *
  • Posts: 1
RoundCube News: Security update for 0.2-beta
« Reply #2 on: January 24, 2009, 04:01:13 PM »
egh...
upgrade to 0.2 !!
regards
cr3pt