Does anyone know if the issue reported at sans.org has been resolved? I have not been able to find any information on this site about it. I am currently running v0.1-beta2 released on 12-23 on a test machine.
http://www.sans.org/newsletters/risk/display.php?v=5&i=46#06.46.73
http://www.securityfocus.com/bid/21042
Sincerely,
Woyzeck
Good question!
I tested the exploit published on security focus against my roundcube installation and it (0.1beta2) and it does not seem to be vulnerable. Thankfully I have the webmail protected via htpasswd authentication to protect it from casual hacking attempts.
I tested this exploit with the current SVN release and it no longer appears vulnerable.
Regards
James Turnbull
it was fixed in r382 (http://trac.roundcube.net/trac.cgi/changeset/382)
Forgive me if I'm clearly missing this...
Are there instructions on how to upgrade a 2006/08/06 beta2 install to the latest 2006/12/23 beta2 for the security patch???
I looked at the docs that came with the file but only the change log had been updated.
Can someone point me in the right direction for proper instructions, or share them.
Thanks!