- Software: https://roundcube.net/
- Versions: 1.1.0 - 1.1.9, 1.2.0 - 1.2.6, 1.3.0 - 1.3.2
- CVE: CVE-2017-16651
- Author: Thomas Bruederli
- Release date: 2017-11-09
Roundcube Webmail allows unauthorized access to arbitrary files on the host's filesystem, including configuration files. This affects all versions from 1.1.0 until the most recent stable version 1.3.2. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session.
In order to read files on the hosts filesystem the attacker must modify the login form and submit it with valid credentials (username/password) of an email account on the target system. After successful login, a manually crafted URL will disclose the contents of the file path submitted with the modified login form.
Due to insufficient sanitization of $_REQUEST['_timezone']
in program/include/rcmail.php
an attacker with a valid username/password can substitute
<input name="_timezone" id="rcmlogintz" value="Timezone" type="hidden">
in the login form with
<input name="_timezone[files][1][path]" id="rcmlogintz" value="path/to/an/arbitrary/local/file" type="hidden">
then submit this modified login form with valid username and password. The contents of the local file entered in the hidden field are then exposed in the following GET request:
http://hostname/path-to-roundcube/?_task=settings&_action=upload-display&_from=timezone&_file=rcmfile1
The _timezone
data submitted from the login form is stored as an array in the user's session.
The upload-display
step handler is meant to serve attachments previously uploaded and stored in a
temp directory via session data. To make this generically usable for plugins too, the session properties
used to read temp files are derived from the _from
and the _file
query parameters.
Due to insufficient validation of the file paths referenced in session data, the filesystem_attachments
plugin, which is by default used to handle the storage and access to attachment uploads, will serve the
contents of the file referenced in the timezone
entry of the session data.
In Attack Vector:
"In order to read files on the hosts filesystem the attacker must modify the login form and submit it with valid credentials "
This is quite difficult to understand for me, how could an attacker modify the login form?
In a simple way to explain this and your Technical Details:
modify the post data like this with valid credentials (change _timezone to the following, the right is the file you want to read)
"_timezone[files][1][path]=/etc/passwd"
and request url
http://hostname/path-to-roundcube/?_task=settings&_action=upload-display&_from=timezone&_file=rcmfile1