[Secure-testing-team] Bug#646675: [roundcube] RC doesn't load INBOX anymore - suhosin reports URL is not allowed
Ingo Juergensmann
ij at 2011.bluespice.org
Wed Oct 26 05:36:19 UTC 2011
Package: roundcube
Version: 0.6+dfsg-1
Severity: serious
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
--- Please enter the report below this line. ---
Hi!
Well, yesterday out of nothing my webmailer roundcube started to refuse
to work. At least as I remember it. For some reasons reloading the Inbox
just showed the "Loading..." message on the screen, but there was no
list of mails anymore. Funny enough other folders do actually work as
before. But anyway, doing an update did not help and improve anything.
(I really don't know whether I updated before or after because of the
first occurence of this issue.)
There's an entry in syslog when loading the Inbox folder:
Oct 26 07:24:59 muaddib suhosin[32432]: ALERT - Include filename
('http://www.gnu.org/s/hello/manual/automake/ ?.php') is an URL that is
not allowed (attacker '127.0.0.1', file
'/usr/share/roundcube/program/include/iniset.php', line 110
This lead to bug #1488086 in the Roundcube issue tracker which states:
This messages made me wonder why suhosin thinks there's an include
going on. Line 111 of iniset.php shows:
include_once("$filename.php");
It seems like roundcube wants to include what is displayed in the
subject, which happens to be a url - and suhosin legitimately blocks
this attempt.
In short, I can send an email to a user on a suhosin protected mail
server and make his inbox unavailable. Needless to say, the user cannot
delete this email himself via RoundCube. In my case, I had to delete the
email file on the server to make roundcube show the inbox again.
In Debian there's bug #619411 that is related to PATH setting in
iniset.php, but I'm not sure if this is really related to #1488086 in
the Roundcube issue tracker and my problem? However, disabling suhosin
doesn't seem the right way to "solve" this issue and the trac issue
tracker suggests a security related problem.
Regards,
Ingo
--- System information. ---
Architecture: amd64
Kernel: Linux 3.0.0-2-amd64
Debian Release: wheezy/sid
500 unstable www.debian-multimedia.org
500 unstable ftp.de.debian.org
--- Package information. ---
Depends (Version) | Installed
====================================-+-================
roundcube-core (= 0.6+dfsg-1) | 0.6+dfsg-1
dbconfig-common | 1.8.47
debconf (>= 0.5) | 1.5.41
OR debconf-2.0 |
ucf | 3.0025+nmu2
apache2 | 2.2.21-2
OR lighttpd |
OR httpd |
php5 | 5.3.8-2
php5-mcrypt | 5.3.8-2
php5-gd | 5.3.8-2
php5-intl | 5.3.8-2
php-mdb2 (>= 2.5.0) | 2.5.0b2-1
php-auth | 1.6.2-1
php-net-smtp (>= 1.4.2) | 1.6.0-1
php-net-socket | 1.0.9-2
php-mail-mime (>= 1.8.0) | 1.8.0-2
php5-pspell | 5.3.8-2
tinymce (>= 3) | 3.4.3.2+dfsg0-1
libjs-jquery (>= 1.6.4) | 1.6.4-1
libmagic1 | 5.09-2
roundcube-sqlite (= 0.6+dfsg-1) | 0.6+dfsg-1
OR roundcube-mysql (= 0.6+dfsg-1) | 0.6+dfsg-1
OR roundcube-pgsql (= 0.6+dfsg-1) | 0.6+dfsg-1
Package's Recommends field is empty.
Suggests (Version) | Installed
================================-+-===========
php-auth-sasl (>= 1.0.3) |
php-crypt-gpg |
roundcube-plugins |
--
Ciao... // Fon: 0381-2744150
Ingo \X/ http://blog.windfluechter.net
Please don't share this address with Facebook or Google!
gpg pubkey: http://www.juergensmann.de/ij_public_key.asc
More information about the Secure-testing-team
mailing list