The Fifth Element is a problem – the input argument that didn’t get checked is an RCE hole
The developers of open source webmail package Roundcube want sysadmins to push in a patch, because a bug in versions prior to 1.2.3 let an attacker crash it remotely – by sending what looks like valid e-mail data.
The authors overlooked sanitising the fifth argument (the _from parameter) in mail() – and that meant someone only needed to compose an e-mail with malicious info in that argument to attack Roundcube.
It works because of how the program flows in a default installation. User input from the Roundcube UI is passed to PHP’s mail() function, and mail() calls sendmail.
Because the user input wasn’t sanitised until the bug-fix, the fifth argument when calling mail() could be used to execute sendmail with the -X option to log all mail traffic – and that, according to RIPS Technologies in this blog post, could be abused to spawn a malicious PHP file in the target server’s Webroot directory.
After looking over the code and the regex that was meant to sanitise the _from parameter, the RIPS Technologies’ analysts worked out that an HTTP request to the server could use that parameter to put a malicious PHP file onto the system, like this:
email@example.com -OQueueDirectory=/tmp -X/var/www/html/rce.php
The malicious rce.php can be populated with PHP code that’s inserted in an e-mail’s subject line.
“Since the email data is unencoded, the subject parameter will be reflected in plaintext which allows the injection of PHP tags into the shell file”, the post states.
Roundcube posted a patch to GitHub at the end of November, and issued a version 1.2.3 here. ®
Sponsored: Customer Identity and Access Management