security flaw

woyzeck · December 31, 2006, 11:38:55 AM

Does anyone know if the issue reported at sans.org has been resolved? I have not been able to find any information on this site about it. I am currently running v0.1-beta2 released on 12-23 on a test machine.

http://www.sans.org/newsletters/risk/display.php?v=5&i=46#06.46.73

http://www.securityfocus.com/bid/21042

Sincerely,

Woyzeck

ajc2004 · December 31, 2006, 06:34:24 PM

Good question!

I tested the exploit published on security focus against my roundcube installation and it (0.1beta2) and it does not seem to be vulnerable. Thankfully I have the webmail protected via htpasswd authentication to protect it from casual hacking attempts.

jamtur01 · January 01, 2007, 07:56:54 AM

I tested this exploit with the current SVN release and it no longer appears vulnerable.

Regards

James Turnbull

yllar · January 01, 2007, 08:02:27 AM

it was fixed in r382

UPN1541 · January 01, 2007, 08:14:15 PM

Forgive me if I'm clearly missing this...

Are there instructions on how to upgrade a 2006/08/06 beta2 install to the latest 2006/12/23 beta2 for the security patch???

I looked at the docs that came with the file but only the change log had been updated.

Can someone point me in the right direction for proper instructions, or share them.

Thanks!

security flaw

woyzeck

ajc2004

jamtur01

yllar

UPN1541