Roundcube Community Forum

 

RoundCube News: Security update for 0.2-beta

Started by bpat1434, December 16, 2008, 01:06:03 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

bpat1434

December 16, 2008, 01:06:03 PM
There were two security issues reported which are now fixed. The first was as possible code injection using the html2text conversion script. The other exploit used the unchecked size parameters of the quota image to let PHP create huge images eating up all the server memory.  (0 comments)

More...
 
 

lvanderree

#1
January 14, 2009, 05:54:37 PM
I have a ubuntu server (8.10) with roundcube 0.1.1 (default package from ubuntu 8.10)

and I can provide the following logs:


apache access log:
62.193.202.XX - - [12/Jan/2009:21:48:13 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 759 "-" "-"
62.193.202.XX - - [12/Jan/2009:21:48:27 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 180 "-" "-"
(these are the only two actions performed as can be found in my apache-log)

in my syslog I can see:
Jan 12 21:48:29 fun4me crontab[10065]: (www-data) REPLACE (www-data)
Jan 12 21:48:29 fun4me crontab[10066]: (www-data) LIST (www-data)

crontab -u www-data -l   gives me:
* * * * * /var/tmp/.ICE-unix/.../.tmp/data/mysqld-lock >/dev/null 2>&1

and ls -l /var/tmp/.ICE-unix/.../.tmp/data/ gives me:
-rw-r--r-- 1 www-data www-data      71 2009-01-12 21:48 cron.d
drwxr-xr-x 2 www-data www-data    4096 2009-01-12 21:48 home
-rwxr-xr-x 1 www-data www-data 1063697 2008-01-20 16:42 mysqld
-rw-r--r-- 1 www-data www-data      33 2009-01-12 21:48 mysqld.dir
-rwxr-xr-x 1 www-data www-data     178 2008-01-20 16:42 mysqld-exec
-rwxr-xr-x 1 www-data www-data     359 2008-01-20 16:42 mysqld-install
-rwxr--r-- 1 www-data www-data     244 2009-01-12 21:48 mysqld-lock
-rw-rw-rw- 1 www-data www-data       6 2009-01-12 21:48 mysqld.pid
-rwxr-xr-x 1 www-data www-data   21516 2008-01-20 16:42 xh

xh gets detected as HackTool.Linux.ProcHider.a Viruslist.com - HackTool.Linux.ProcHider.a
I guess mysqld is a virus as well, but it does not get detected (yet)

I will try to add this exploit to launchpad as well (if possible)

I already found out it was a spam-bot that got inserted in my system

cr3pt

#2
January 24, 2009, 04:01:13 PM
egh...
upgrade to 0.2 !!
regards
cr3pt
Print
Go Up Pages1
User actions