Re: roundcube security bug

2009-03-09 Thread Zbigniew Szalbot 
Hello,

On Mon, Mar 9, 2009 at 15:54, Moti Levy  wrote:
> portaudit is always usefull
>
> Affected package: roundcube-0.2.a,1

Ah... my bad - I have had roundcube installed from sources, not from
port. That's why I didn't know. I use portaudit on daily bases. Many
thanks, though!

In the meantime I have notified roundcube authors but it seems they
should know by now anyway.

-- 
Zbigniew Szalbot
www.slowo.pl
www.fairtrade.net.pl
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: roundcube security bug

2009-03-09 Thread Moti Levy 

On 03/09/09 6:05 AM, Zbigniew Szalbot wrote:

Hi there,

On Mon, Mar 9, 2009 at 10:50, Ross Cameron  wrote:
   

Surely an attempted cracking attempt on you're server warrants making time?
 


It does.

   

Without detailed reports of issues like this how is the vendor expected to
correct the problem?
 Avoiding installing the code is just a lazy workaround, helping the
author's will improve the general open source software ecosystem.
 


Like I said, I just lacked the time. I have notified the port
maintainer though and intend to contact the author but I wish there
was a simpler way then having to register first.

   

portaudit is always usefull

Affected package: roundcube-0.2.a,1
Type of problem: roundcube -- remote execution of arbitrary code.
Reference: 




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: roundcube security bug

2009-03-09 Thread Zbigniew Szalbot 
Hi there,

On Mon, Mar 9, 2009 at 10:50, Ross Cameron  wrote:
> Surely an attempted cracking attempt on you're server warrants making time?

It does.

> Without detailed reports of issues like this how is the vendor expected to
> correct the problem?
>     Avoiding installing the code is just a lazy workaround, helping the
> author's will improve the general open source software ecosystem.

Like I said, I just lacked the time. I have notified the port
maintainer though and intend to contact the author but I wish there
was a simpler way then having to register first.

-- 
Zbigniew Szalbot
www.slowo.pl
www.fairtrade.net.pl
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: roundcube security bug

2009-03-09 Thread Ross Cameron 
On Mon, Mar 9, 2009 at 9:47 AM, Zbigniew Szalbot  wrote:

> On Mon, Mar 9, 2009 at 08:43, Brent Clark 
> wrote:
> > Hiya
> >
> > Have you notified and / or checked with the upstream authour (maybe the
> > mailinglist too)
>
> Not really. It requires subscribing to a mailing list which I don't
> have time to do at the moment.
>

Surely an attempted cracking attempt on you're server warrants making time?

Without detailed reports of issues like this how is the vendor expected to
correct the problem?
Avoiding installing the code is just a lazy workaround, helping the
author's will improve the general open source software ecosystem.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: roundcube security bug

2009-03-09 Thread Michael Powell 
Zbigniew Szalbot wrote:

> hello,
> 
> I strongly advise anyone who has the mail/roundcube port or software
> installed to be careful as it has a security bug (and I do not know
> where to report it). It allows people to remotely place a trojan on
> /tmp and use it. They do it like this:
> 
> 213.96.25.30 - - [05/Mar/2009:19:22:14 +0100] "POST
> /roundcube/bin/html2text.php HTTP/1.0" 406
> and as a result a non-empty directory /tmp/guestbook.ntr/ is created
> and a file /tmp/guestbook.php
> 
> This html2text.php file has been used by an attacker on my system (at
> least I think so). I have removed the port and since then I have had
> no trouble, although they have been scanning for this file as I can
> read in the logs.
> 
> Yours,
> 

I have an eCommerce store and sometimes up to about two thirds of the script 
kiddie runs include a search for roundcube. So it is highly sought after 
active vulnerability for compromising web sites. I don't use it myself so it 
has no effect on my site, but I am seeing the traffic.

-Mike



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: roundcube security bug

2009-03-09 Thread Zbigniew Szalbot 
On Mon, Mar 9, 2009 at 08:43, Brent Clark  wrote:
> Hiya
>
> Have you notified and / or checked with the upstream authour (maybe the
> mailinglist too)

Not really. It requires subscribing to a mailing list which I don't
have time to do at the moment.


-- 
Zbigniew Szalbot
www.slowo.pl
www.fairtrade.net.pl
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: roundcube security bug

2009-03-09 Thread Brent Clark 

Zbigniew Szalbot wrote:

hello,

I strongly advise anyone who has the mail/roundcube port or software
installed to be careful as it has a security bug (and I do not know
where to report it). It allows people to remotely place a trojan on
/tmp and use it. They do it like this:

213.96.25.30 - - [05/Mar/2009:19:22:14 +0100] "POST
/roundcube/bin/html2text.php HTTP/1.0" 406
and as a result a non-empty directory /tmp/guestbook.ntr/ is created
and a file /tmp/guestbook.php

This html2text.php file has been used by an attacker on my system (at
least I think so). I have removed the port and since then I have had
no trouble, although they have been scanning for this file as I can
read in the logs.

Yours,

  

Hiya

Have you notified and / or checked with the upstream authour (maybe the 
mailinglist too).


Regards
Brent Clark
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

roundcube security bug

2009-03-09 Thread Zbigniew Szalbot 
hello,

I strongly advise anyone who has the mail/roundcube port or software
installed to be careful as it has a security bug (and I do not know
where to report it). It allows people to remotely place a trojan on
/tmp and use it. They do it like this:

213.96.25.30 - - [05/Mar/2009:19:22:14 +0100] "POST
/roundcube/bin/html2text.php HTTP/1.0" 406
and as a result a non-empty directory /tmp/guestbook.ntr/ is created
and a file /tmp/guestbook.php

This html2text.php file has been used by an attacker on my system (at
least I think so). I have removed the port and since then I have had
no trouble, although they have been scanning for this file as I can
read in the logs.

Yours,

-- 
Zbigniew Szalbot
www.slowo.pl
www.fairtrade.net.pl
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"