roundcube security bug
hello, I strongly advise anyone who has the mail/roundcube port or software installed to be careful as it has a security bug (and I do not know where to report it). It allows people to remotely place a trojan on /tmp and use it. They do it like this: 213.96.25.30 - - [05/Mar/2009:19:22:14 +0100] POST /roundcube/bin/html2text.php HTTP/1.0 406 and as a result a non-empty directory /tmp/guestbook.ntr/ is created and a file /tmp/guestbook.php This html2text.php file has been used by an attacker on my system (at least I think so). I have removed the port and since then I have had no trouble, although they have been scanning for this file as I can read in the logs. Yours, -- Zbigniew Szalbot www.slowo.pl www.fairtrade.net.pl ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: roundcube security bug
Zbigniew Szalbot wrote: hello, I strongly advise anyone who has the mail/roundcube port or software installed to be careful as it has a security bug (and I do not know where to report it). It allows people to remotely place a trojan on /tmp and use it. They do it like this: 213.96.25.30 - - [05/Mar/2009:19:22:14 +0100] POST /roundcube/bin/html2text.php HTTP/1.0 406 and as a result a non-empty directory /tmp/guestbook.ntr/ is created and a file /tmp/guestbook.php This html2text.php file has been used by an attacker on my system (at least I think so). I have removed the port and since then I have had no trouble, although they have been scanning for this file as I can read in the logs. Yours, Hiya Have you notified and / or checked with the upstream authour (maybe the mailinglist too). Regards Brent Clark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: roundcube security bug
On Mon, Mar 9, 2009 at 08:43, Brent Clark brentgclarkl...@gmail.com wrote: Hiya Have you notified and / or checked with the upstream authour (maybe the mailinglist too) Not really. It requires subscribing to a mailing list which I don't have time to do at the moment. -- Zbigniew Szalbot www.slowo.pl www.fairtrade.net.pl ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: roundcube security bug
Zbigniew Szalbot wrote: hello, I strongly advise anyone who has the mail/roundcube port or software installed to be careful as it has a security bug (and I do not know where to report it). It allows people to remotely place a trojan on /tmp and use it. They do it like this: 213.96.25.30 - - [05/Mar/2009:19:22:14 +0100] POST /roundcube/bin/html2text.php HTTP/1.0 406 and as a result a non-empty directory /tmp/guestbook.ntr/ is created and a file /tmp/guestbook.php This html2text.php file has been used by an attacker on my system (at least I think so). I have removed the port and since then I have had no trouble, although they have been scanning for this file as I can read in the logs. Yours, I have an eCommerce store and sometimes up to about two thirds of the script kiddie runs include a search for roundcube. So it is highly sought after active vulnerability for compromising web sites. I don't use it myself so it has no effect on my site, but I am seeing the traffic. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: roundcube security bug
On Mon, Mar 9, 2009 at 9:47 AM, Zbigniew Szalbot zszal...@gmail.com wrote: On Mon, Mar 9, 2009 at 08:43, Brent Clark brentgclarkl...@gmail.com wrote: Hiya Have you notified and / or checked with the upstream authour (maybe the mailinglist too) Not really. It requires subscribing to a mailing list which I don't have time to do at the moment. Surely an attempted cracking attempt on you're server warrants making time? Without detailed reports of issues like this how is the vendor expected to correct the problem? Avoiding installing the code is just a lazy workaround, helping the author's will improve the general open source software ecosystem. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: roundcube security bug
Hi there, On Mon, Mar 9, 2009 at 10:50, Ross Cameron abal...@gmail.com wrote: Surely an attempted cracking attempt on you're server warrants making time? It does. Without detailed reports of issues like this how is the vendor expected to correct the problem? Avoiding installing the code is just a lazy workaround, helping the author's will improve the general open source software ecosystem. Like I said, I just lacked the time. I have notified the port maintainer though and intend to contact the author but I wish there was a simpler way then having to register first. -- Zbigniew Szalbot www.slowo.pl www.fairtrade.net.pl ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: roundcube security bug
On 03/09/09 6:05 AM, Zbigniew Szalbot wrote: Hi there, On Mon, Mar 9, 2009 at 10:50, Ross Cameronabal...@gmail.com wrote: Surely an attempted cracking attempt on you're server warrants making time? It does. Without detailed reports of issues like this how is the vendor expected to correct the problem? Avoiding installing the code is just a lazy workaround, helping the author's will improve the general open source software ecosystem. Like I said, I just lacked the time. I have notified the port maintainer though and intend to contact the author but I wish there was a simpler way then having to register first. portaudit is always usefull Affected package: roundcube-0.2.a,1 Type of problem: roundcube -- remote execution of arbitrary code. Reference: http://www.FreeBSD.org/ports/portaudit/8f483746-d45d-11dd-84ec-001fc66e7203.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: roundcube security bug
Hello, On Mon, Mar 9, 2009 at 15:54, Moti Levy levym...@gmail.com wrote: portaudit is always usefull Affected package: roundcube-0.2.a,1 Ah... my bad - I have had roundcube installed from sources, not from port. That's why I didn't know. I use portaudit on daily bases. Many thanks, though! In the meantime I have notified roundcube authors but it seems they should know by now anyway. -- Zbigniew Szalbot www.slowo.pl www.fairtrade.net.pl ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org