Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Hackers Can Exploit Roundcube Flaw by Sending an Email

Researchers discovered that the open source webmail software Roundcube is affected by a critical vulnerability that can be used to execute arbitrary commands on the system simply by sending an email.

Researchers discovered that the open source webmail software Roundcube is affected by a critical vulnerability that can be used to execute arbitrary commands on the system simply by sending an email.

The issue, found by web application security firm RIPS Technologies, is related to the PHP function mail(), which is used for sending email. When this function is invoked, PHP executes the command-line email program sendmail.

The problem is that user input is not sanitized properly in the fifth parameter of the mail() function, allowing an attacker to pass arbitrary arguments. The fact that the mail() function can be exploited this way for remote code execution has been known for more than two years, but Roundcube developers overlooked it.

According to RIPS, an attacker can create a malicious PHP file in the system’s web root directory by executing sendmail with the -X option, which is used to log all mail traffic in a specified file. Such a PHP file can allow the hacker to execute commands and conduct various activities, such as reading emails or reaching other systems on the network.

RIPS told SecurityWeek that the vulnerability can be exploited by an attacker who has access to the targeted system and is capable of sending an email from the compromised machine. Once the attacker has access to the system, the security hole is not difficult to exploit – they need to obtain an email account and use it to send a message with the code that triggers the vulnerability inserted into the “from” field.

Experts pointed out that the attacker may already possess an account (e.g. the attacker is an insider) or they can obtain login credentials to an account using malware or by guessing the password.

There are several conditions that need to be met for the attack to work, including that Roundcube must be configured to use the PHP mail() function and this function must be configured to use sendmail. Furthermore, PHP’s safe_mode has to be disabled and the attacker must know the absolute path of the web root folder.

Advertisement. Scroll to continue reading.

However, these are part of the default configuration and experts estimate that there are tens or hundreds of thousands of vulnerable systems. Roundcube has been downloaded from SourceForge more than 260,000 times in 2016 alone.

The issue was reported to Roundcube developers on November 21 and it was patched one week later with the release of versions 1.2.3 and 1.1.7.

RIPS noted that it had identified dozens of security holes in Roundcube, including code execution, cross-site scripting (XSS), file manipulation, path traversal, SQL injection, and PHP object injections. However, experts said many of these flaws are less severe as they affect the installation module or dead legacy code.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.