Skip to content

Instantly share code, notes, and snippets.

@thomascube
Last active January 3, 2024 11:12
Show Gist options
  • Save thomascube/3ace32074e23fca0e6510e500bd914a1 to your computer and use it in GitHub Desktop.
Save thomascube/3ace32074e23fca0e6510e500bd914a1 to your computer and use it in GitHub Desktop.
Roundcube Vulnerability CVE-2017-16651

Roundcube Webmail File Disclosure Vulnerability

  • Software: https://roundcube.net/
  • Versions: 1.1.0 - 1.1.9, 1.2.0 - 1.2.6, 1.3.0 - 1.3.2
  • CVE: CVE-2017-16651
  • Author: Thomas Bruederli
  • Release date: 2017-11-09

Summary

Roundcube Webmail allows unauthorized access to arbitrary files on the host's filesystem, including configuration files. This affects all versions from 1.1.0 until the most recent stable version 1.3.2. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session.

Attack Vectors

In order to read files on the hosts filesystem the attacker must modify the login form and submit it with valid credentials (username/password) of an email account on the target system. After successful login, a manually crafted URL will disclose the contents of the file path submitted with the modified login form.

Technical Details

Due to insufficient sanitization of $_REQUEST['_timezone'] in program/include/rcmail.php an attacker with a valid username/password can substitute

<input name="_timezone" id="rcmlogintz" value="Timezone" type="hidden">

in the login form with

<input name="_timezone[files][1][path]" id="rcmlogintz" value="path/to/an/arbitrary/local/file" type="hidden">

then submit this modified login form with valid username and password. The contents of the local file entered in the hidden field are then exposed in the following GET request:

http://hostname/path-to-roundcube/?_task=settings&_action=upload-display&_from=timezone&_file=rcmfile1

The _timezone data submitted from the login form is stored as an array in the user's session. The upload-display step handler is meant to serve attachments previously uploaded and stored in a temp directory via session data. To make this generically usable for plugins too, the session properties used to read temp files are derived from the _from and the _file query parameters.

Due to insufficient validation of the file paths referenced in session data, the filesystem_attachments plugin, which is by default used to handle the storage and access to attachment uploads, will serve the contents of the file referenced in the timezone entry of the session data.

Timeline

  • 2017-11-06: Vendor notification #6026
  • 2017-11-08: Vendor fixes the bug on dev branch
  • 2017-11-08: Vendor releases new a stable versions (1.1.10, 1.2.7 and 1.3.3)
@starnightcyber
Copy link

In Attack Vector:
"In order to read files on the hosts filesystem the attacker must modify the login form and submit it with valid credentials "
This is quite difficult to understand for me, how could an attacker modify the login form?

In a simple way to explain this and your Technical Details:
modify the post data like this with valid credentials (change _timezone to the following, the right is the file you want to read)
"_timezone[files][1][path]=/etc/passwd"

and request url
http://hostname/path-to-roundcube/?_task=settings&_action=upload-display&_from=timezone&_file=rcmfile1

@ropbear
Copy link

ropbear commented Jan 6, 2021

Python implementation for the lazy
https://github.com/stonepresto/CVE-2017-16651

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment