Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Hackers Can Exploit Roundcube Flaw by Sending an Email

Researchers discovered that the open source webmail software Roundcube is affected by a critical vulnerability that can be used to execute arbitrary commands on the system simply by sending an email.

Researchers discovered that the open source webmail software Roundcube is affected by a critical vulnerability that can be used to execute arbitrary commands on the system simply by sending an email.

The issue, found by web application security firm RIPS Technologies, is related to the PHP function mail(), which is used for sending email. When this function is invoked, PHP executes the command-line email program sendmail.

The problem is that user input is not sanitized properly in the fifth parameter of the mail() function, allowing an attacker to pass arbitrary arguments. The fact that the mail() function can be exploited this way for remote code execution has been known for more than two years, but Roundcube developers overlooked it.

According to RIPS, an attacker can create a malicious PHP file in the system’s web root directory by executing sendmail with the -X option, which is used to log all mail traffic in a specified file. Such a PHP file can allow the hacker to execute commands and conduct various activities, such as reading emails or reaching other systems on the network.

RIPS told SecurityWeek that the vulnerability can be exploited by an attacker who has access to the targeted system and is capable of sending an email from the compromised machine. Once the attacker has access to the system, the security hole is not difficult to exploit – they need to obtain an email account and use it to send a message with the code that triggers the vulnerability inserted into the “from” field.

Experts pointed out that the attacker may already possess an account (e.g. the attacker is an insider) or they can obtain login credentials to an account using malware or by guessing the password.

There are several conditions that need to be met for the attack to work, including that Roundcube must be configured to use the PHP mail() function and this function must be configured to use sendmail. Furthermore, PHP’s safe_mode has to be disabled and the attacker must know the absolute path of the web root folder.

However, these are part of the default configuration and experts estimate that there are tens or hundreds of thousands of vulnerable systems. Roundcube has been downloaded from SourceForge more than 260,000 times in 2016 alone.

The issue was reported to Roundcube developers on November 21 and it was patched one week later with the release of versions 1.2.3 and 1.1.7.

RIPS noted that it had identified dozens of security holes in Roundcube, including code execution, cross-site scripting (XSS), file manipulation, path traversal, SQL injection, and PHP object injections. However, experts said many of these flaws are less severe as they affect the installation module or dead legacy code.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.