Skip to content

Instantly share code, notes, and snippets.

@thomascube

thomascube/cve-2017-16651.md

Last active January 3, 2024 11:12
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save thomascube/3ace32074e23fca0e6510e500bd914a1 to your computer and use it in GitHub Desktop.
Save thomascube/3ace32074e23fca0e6510e500bd914a1 to your computer and use it in GitHub Desktop.
Download ZIP
Roundcube Vulnerability CVE-2017-16651
Raw
cve-2017-16651.md

Roundcube Webmail File Disclosure Vulnerability

  • Software: https://roundcube.net/
  • Versions: 1.1.0 - 1.1.9, 1.2.0 - 1.2.6, 1.3.0 - 1.3.2
  • CVE: CVE-2017-16651
  • Author: Thomas Bruederli
  • Release date: 2017-11-09

Summary

Roundcube Webmail allows unauthorized access to arbitrary files on the host's filesystem, including configuration files. This affects all versions from 1.1.0 until the most recent stable version 1.3.2. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session.

Attack Vectors

In order to read files on the hosts filesystem the attacker must modify the login form and submit it with valid credentials (username/password) of an email account on the target system. After successful login, a manually crafted URL will disclose the contents of the file path submitted with the modified login form.

Technical Details

Due to insufficient sanitization of $_REQUEST['_timezone'] in program/include/rcmail.php an attacker with a valid username/password can substitute

<input name="_timezone" id="rcmlogintz" value="Timezone" type="hidden">

in the login form with

<input name="_timezone[files][1][path]" id="rcmlogintz" value="path/to/an/arbitrary/local/file" type="hidden">

then submit this modified login form with valid username and password. The contents of the local file entered in the hidden field are then exposed in the following GET request:

http://hostname/path-to-roundcube/?_task=settings&_action=upload-display&_from=timezone&_file=rcmfile1

The _timezone data submitted from the login form is stored as an array in the user's session. The upload-display step handler is meant to serve attachments previously uploaded and stored in a temp directory via session data. To make this generically usable for plugins too, the session properties used to read temp files are derived from the _from and the _file query parameters.

Due to insufficient validation of the file paths referenced in session data, the filesystem_attachments plugin, which is by default used to handle the storage and access to attachment uploads, will serve the contents of the file referenced in the timezone entry of the session data.

Timeline

  • 2017-11-06: Vendor notification #6026
  • 2017-11-08: Vendor fixes the bug on dev branch
  • 2017-11-08: Vendor releases new a stable versions (1.1.10, 1.2.7 and 1.3.3)
@ropbear
Copy link

ropbear commented Jan 6, 2021
edited

Python implementation for the lazy
https://github.com/stonepresto/CVE-2017-16651

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment