Skip to content

Instantly share code, notes, and snippets.

Last active February 23, 2021 16:09
What would you like to do?
Roundcube Vulnerability CVE-2017-16651

Roundcube Webmail File Disclosure Vulnerability

  • Software:
  • Versions: 1.1.0 - 1.1.9, 1.2.0 - 1.2.6, 1.3.0 - 1.3.2
  • CVE: CVE-2017-16651
  • Author: Thomas Bruederli
  • Release date: 2017-11-09


Roundcube Webmail allows unauthorized access to arbitrary files on the host's filesystem, including configuration files. This affects all versions from 1.1.0 until the most recent stable version 1.3.2. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session.

Attack Vectors

In order to read files on the hosts filesystem the attacker must modify the login form and submit it with valid credentials (username/password) of an email account on the target system. After successful login, a manually crafted URL will disclose the contents of the file path submitted with the modified login form.

Technical Details

Due to insufficient sanitization of $_REQUEST['_timezone'] in program/include/rcmail.php an attacker with a valid username/password can substitute

<input name="_timezone" id="rcmlogintz" value="Timezone" type="hidden">

in the login form with

<input name="_timezone[files][1][path]" id="rcmlogintz" value="path/to/an/arbitrary/local/file" type="hidden">

then submit this modified login form with valid username and password. The contents of the local file entered in the hidden field are then exposed in the following GET request:


The _timezone data submitted from the login form is stored as an array in the user's session. The upload-display step handler is meant to serve attachments previously uploaded and stored in a temp directory via session data. To make this generically usable for plugins too, the session properties used to read temp files are derived from the _from and the _file query parameters.

Due to insufficient validation of the file paths referenced in session data, the filesystem_attachments plugin, which is by default used to handle the storage and access to attachment uploads, will serve the contents of the file referenced in the timezone entry of the session data.


  • 2017-11-06: Vendor notification #6026
  • 2017-11-08: Vendor fixes the bug on dev branch
  • 2017-11-08: Vendor releases new a stable versions (1.1.10, 1.2.7 and 1.3.3)
Copy link

In Attack Vector:
"In order to read files on the hosts filesystem the attacker must modify the login form and submit it with valid credentials "
This is quite difficult to understand for me, how could an attacker modify the login form?

In a simple way to explain this and your Technical Details:
modify the post data like this with valid credentials (change _timezone to the following, the right is the file you want to read)

and request url

Copy link

ropbear commented Jan 6, 2021

Python implementation for the lazy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment