Mailinabox: Critical security issue in Roundcube <= 1.2.2

Created on 6 Dec 2016  路  2Comments  路  Source: mail-in-a-box/mailinabox

There was a Critical security voulnerability announced today affecting version 1.2.2 and lower of Roundcube that permits a malicious user to execute commands on the local machine.

Details:
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-released

Most helpful comment

Thanks. It doesn't appear that we're vulnerable because this part doesn't apply to us:

Roundcube must be configured to use PHP鈥檚 mail() function (by default, if no SMTP was specified 2 )

(Also see #997.)

All 2 comments

Thanks. It doesn't appear that we're vulnerable because this part doesn't apply to us:

Roundcube must be configured to use PHP鈥檚 mail() function (by default, if no SMTP was specified 2 )

(Also see #997.)

Thanks. It doesn't appear that we're vulnerable because this part doesn't apply to us:

Still, I think that the update should be released as Roundcube 1.2.3 is a stable release.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

arctic-ice-cool picture arctic-ice-cool  路  8Comments

ad-si picture ad-si  路  6Comments

jalogisch picture jalogisch  路  5Comments

timkofu picture timkofu  路  3Comments

anoma picture anoma  路  4Comments