back to article Open source Roundcube webmail can be attacked ... by sending it an e-mail

The developers of open source webmail package Roundcube want sysadmins to push in a patch, because a bug in versions prior to 1.2.3 let an attacker crash it remotely – by sending what looks like valid e-mail data. The authors overlooked sanitising the fifth argument (the _from parameter) in mail() – and that meant someone only …

  1. a_yank_lurker Silver badge


    Security is hard to get right even when you are trying to do it right.

  2. Anonymous Coward
    Anonymous Coward

    Developers - CHECK YOUR INPUTS

    For fucks sake - time and again code is made without input checks and limits being applied.

    1. Anonymous Coward
      Anonymous Coward

      Re: Developers - CHECK YOUR INPUTS

      Check for what though? That it doesn't have shell escapes (like: apostrophe, double-quote, backtick). That's not enough in this case.

      It's not just about checking your inputs... it's about making sure that you're checking for the right things.

  3. J J Carter Silver badge

    Many eyes....

    But all looking at pr0n

    1. Anonymous Coward
      Anonymous Coward

      Re: Many eyes....

      You could at least have the good grace to use the troll icon, as you usually do when you cut & paste this witless comment.

  4. Nick Kew Silver badge

    Twenty years ago when Perl was the dominant language for apps like this, the message drummed insistently into everyone hacking it was ALWAYS use the -T taint-checking option. Which protects you from precisely this kind of bug.

    Then came PHP, and security was history ...

    1. Sirius Lee

      Eee, when I warra kid

      It wern't like this in my day.

      1. Anonymous Coward
        Anonymous Coward

        Re: Eee, when I warra kid

        I beg to differ - I've seen 20 year old COBOL still in use, and that's just as shit at not doing bounds/input checking.

        1. Nick Kew Silver badge

          Re: Eee, when I warra kid

          20-year-old COBOL? Didn't realise COBOL was still written 20 years ago!

          Guess you must've been digging up a memory from 20 years ago, of COBOL that was 20 years old at the time.

  5. LDS Silver badge

    Am I correct it does impact only users able to send mail from Roundcube?

    And not users reading received emails? Although maybe reply/forward can trigger the issue?

    What about installation using SMTP and not mail()?

  6. Justin Pasher

    Bad, but not critical (for some)

    The article misses an important note about the security hole.

    "[It's] only relevant to Roundcube installations not having an SMTP server configured for mail delivery"

    If you've set it up to use an SMTP server (even just localhost), it doesn't use the mail() command to send the email. See the $config['smtp_server'] variable in config/ to check.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019