Roundcube Webmail File Disclosure Vulnerability
- Software: https://roundcube.net/
- Versions: 1.1.0 - 1.1.9, 1.2.0 - 1.2.6, 1.3.0 - 1.3.2
- CVE: CVE-2017-16651
- Author: Thomas Bruederli
- Release date: 2017-11-09
Roundcube Webmail allows unauthorized access to arbitrary files on the host's filesystem, including configuration files. This affects all versions from 1.1.0 until the most recent stable version 1.3.2. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session.
In order to read files on the hosts filesystem the attacker must modify the login form and submit it with valid credentials (username/password) of an email account on the target system. After successful login, a manually crafted URL will disclose the contents of the file path submitted with the modified login form.
Due to insufficient sanitization of
an attacker with a valid username/password can substitute
<input name="_timezone" id="rcmlogintz" value="Timezone" type="hidden">
in the login form with
<input name="_timezone[files][path]" id="rcmlogintz" value="path/to/an/arbitrary/local/file" type="hidden">
then submit this modified login form with valid username and password. The contents of the local file entered in the hidden field are then exposed in the following GET request:
_timezone data submitted from the login form is stored as an array in the user's session.
upload-display step handler is meant to serve attachments previously uploaded and stored in a
temp directory via session data. To make this generically usable for plugins too, the session properties
used to read temp files are derived from the
_from and the
_file query parameters.
Due to insufficient validation of the file paths referenced in session data, the
plugin, which is by default used to handle the storage and access to attachment uploads, will serve the
contents of the file referenced in the
timezone entry of the session data.