Security is hard to get right even when you are trying to do it right.
The developers of open source webmail package Roundcube want sysadmins to push in a patch, because a bug in versions prior to 1.2.3 let an attacker crash it remotely – by sending what looks like valid e-mail data. The authors overlooked sanitising the fifth argument (the _from parameter) in mail() – and that meant someone only …
The article misses an important note about the security hole.
"[It's] only relevant to Roundcube installations not having an SMTP server configured for mail delivery"
If you've set it up to use an SMTP server (even just localhost), it doesn't use the mail() command to send the email. See the $config['smtp_server'] variable in config/config.inc.php to check.
Biting the hand that feeds IT © 1998–2019