The developers of open source webmail package Roundcube want sysadmins to push in a patch, because a bug in versions prior to 1.2.3 let an attacker crash it remotely – by sending what looks like valid e-mail data.
The authors overlooked sanitising the fifth argument (the
_from parameter) in
mail() – and that meant someone only needed to compose an e-mail with malicious info in that argument to attack Roundcube.
It works because of how the program flows in a default installation. User input from the Roundcube UI is passed to PHP's
mail() function, and
Because the user input wasn't sanitised until the bug-fix, the fifth argument when calling mail() could be used to execute
sendmail with the -X option to log all mail traffic – and that, according to RIPS Technologies in this blog post, could be abused to spawn a malicious PHP file in the target server's Webroot directory.
After looking over the code and the regex that was meant to sanitise the
_from parameter, the RIPS Technologies' analysts worked out that an HTTP request to the server could use that parameter to put a malicious PHP file onto the system, like this:
firstname.lastname@example.org -OQueueDirectory=/tmp -X/var/www/html/rce.php
rce.php can be populated with PHP code that's inserted in an e-mail's subject line.
“Since the email data is unencoded, the subject parameter will be reflected in plaintext which allows the injection of PHP tags into the shell file”, the post states.