Remote Code Execution in Roundcube prior to 1.1.4

Refers to:

  • Plesk 12.5 for Linux
  • Plesk 12.0 for Linux

Created:

2016-11-16 13:03:19 UTC

Modified:

2016-12-21 19:51:04 UTC

0

Was this article helpful?


Have more questions?

Submit a request

Remote Code Execution in Roundcube prior to 1.1.4

Symptoms

Critical security vulnerability with remote code execution had been discovered in Roundcube version 1.1.3 on the 21st of December:

Customer can execute PHP code on behalf of roundcube_sysuser:roundcube_sysgroup

Vulnerable Roundcube version 1.1.3 is currently available for optional installation in Plesk for Linux 12.0 and 12.5. Following Plesk 11.5 versions are also affected:

Plesk 11.5.30 for CentOS 6 (with Roundcube 0.9.5) is vulnerable.
Plesk 11.5.30 for CentOS 5 (with Roundcube 0.8.6) is vulnerable.

Resolution

For Plesk 12.0 and 12.5 the issue is fixed in Micro-Update(Roundcube was updated to 1.1.4 version):

For Plesk 11.5.30 CentOS 6, plesk-roundcube-0.9.5:

  • Relace file /usr/share/psa-roundcube/program/include/rcmail_output_html.php with attached rcmail_output_html.php .
    # ll /usr/share/psa-roundcube/program/include/rcmail_output_html.php
    -rw-r--r-- 1 root root 63089 Dec 31 02:06 /usr/share/psa-roundcube/program/include/rcmail_output_html.php

For Plesk 11.5.30 CentOS 5, plesk-roundcube-0.8.6:

  • Relace file /usr/share/psa-roundcube/program/include/rcube_template.php with attached rcube_template.php .
    # ll /usr/share/psa-roundcube/program/include/rcube_template.php
    -rw-r--r-- 1 root root 50042 Dec 31 03:11 /usr/share/psa-roundcube/program/include/rcube_template.php
Have more questions? Submit a request
Please sign in to leave a comment.