Connect with us

Hi, what are you looking for?


Email Security

Hackers Can Exploit Roundcube Flaw by Sending an Email

Researchers discovered that the open source webmail software Roundcube is affected by a critical vulnerability that can be used to execute arbitrary commands on the system simply by sending an email.

Researchers discovered that the open source webmail software Roundcube is affected by a critical vulnerability that can be used to execute arbitrary commands on the system simply by sending an email.

The issue, found by web application security firm RIPS Technologies, is related to the PHP function mail(), which is used for sending email. When this function is invoked, PHP executes the command-line email program sendmail.

The problem is that user input is not sanitized properly in the fifth parameter of the mail() function, allowing an attacker to pass arbitrary arguments. The fact that the mail() function can be exploited this way for remote code execution has been known for more than two years, but Roundcube developers overlooked it.

According to RIPS, an attacker can create a malicious PHP file in the system’s web root directory by executing sendmail with the -X option, which is used to log all mail traffic in a specified file. Such a PHP file can allow the hacker to execute commands and conduct various activities, such as reading emails or reaching other systems on the network.

RIPS told SecurityWeek that the vulnerability can be exploited by an attacker who has access to the targeted system and is capable of sending an email from the compromised machine. Once the attacker has access to the system, the security hole is not difficult to exploit – they need to obtain an email account and use it to send a message with the code that triggers the vulnerability inserted into the “from” field.

Experts pointed out that the attacker may already possess an account (e.g. the attacker is an insider) or they can obtain login credentials to an account using malware or by guessing the password.

There are several conditions that need to be met for the attack to work, including that Roundcube must be configured to use the PHP mail() function and this function must be configured to use sendmail. Furthermore, PHP’s safe_mode has to be disabled and the attacker must know the absolute path of the web root folder.

Advertisement. Scroll to continue reading.

However, these are part of the default configuration and experts estimate that there are tens or hundreds of thousands of vulnerable systems. Roundcube has been downloaded from SourceForge more than 260,000 times in 2016 alone.

The issue was reported to Roundcube developers on November 21 and it was patched one week later with the release of versions 1.2.3 and 1.1.7.

RIPS noted that it had identified dozens of security holes in Roundcube, including code execution, cross-site scripting (XSS), file manipulation, path traversal, SQL injection, and PHP object injections. However, experts said many of these flaws are less severe as they affect the installation module or dead legacy code.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...