Researchers discovered that the open source webmail software Roundcube is affected by a critical vulnerability that can be used to execute arbitrary commands on the system simply by sending an email.
The issue, found by web application security firm RIPS Technologies, is related to the PHP function mail(), which is used for sending email. When this function is invoked, PHP executes the command-line email program sendmail.
The problem is that user input is not sanitized properly in the fifth parameter of the mail() function, allowing an attacker to pass arbitrary arguments. The fact that the mail() function can be exploited this way for remote code execution has been known for more than two years, but Roundcube developers overlooked it.
According to RIPS, an attacker can create a malicious PHP file in the system’s web root directory by executing sendmail with the -X option, which is used to log all mail traffic in a specified file. Such a PHP file can allow the hacker to execute commands and conduct various activities, such as reading emails or reaching other systems on the network.
RIPS told SecurityWeek that the vulnerability can be exploited by an attacker who has access to the targeted system and is capable of sending an email from the compromised machine. Once the attacker has access to the system, the security hole is not difficult to exploit – they need to obtain an email account and use it to send a message with the code that triggers the vulnerability inserted into the “from” field.
Experts pointed out that the attacker may already possess an account (e.g. the attacker is an insider) or they can obtain login credentials to an account using malware or by guessing the password.
There are several conditions that need to be met for the attack to work, including that Roundcube must be configured to use the PHP mail() function and this function must be configured to use sendmail. Furthermore, PHP’s safe_mode has to be disabled and the attacker must know the absolute path of the web root folder.
However, these are part of the default configuration and experts estimate that there are tens or hundreds of thousands of vulnerable systems. Roundcube has been downloaded from SourceForge more than 260,000 times in 2016 alone.
The issue was reported to Roundcube developers on November 21 and it was patched one week later with the release of versions 1.2.3 and 1.1.7.
RIPS noted that it had identified dozens of security holes in Roundcube, including code execution, cross-site scripting (XSS), file manipulation, path traversal, SQL injection, and PHP object injections. However, experts said many of these flaws are less severe as they affect the installation module or dead legacy code.