Yes, we're aware of that and the security issue has been fixed back in 
December: http://lists.roundcube.net/mail-archive/users/2008-12/0000021.html

Also the 0.2-stable as well as the latest 0.2.1 release are not vulnerable 
to this anymore.

~Thomas


Zbigniew Szalbot wrote:
> Hello,
>
> Not sure if this is new to you but
>
> 213.96.25.30 - - [05/Mar/2009:19:22:14 +0100] "POST
> /roundcube/bin/html2text.php HTTP/1.0" 406
>
> and as a result a non-empty directory /tmp/guestbook.ntr/ is created
> and a file /tmp/guestbook.php (which then causes issues with the
> operating system).
>
> This html2text.php file has been used by an attacker on my system (at
> least I think so). I have removed roundcube from my system and since
> then I have had no trouble, although they have been scanning for this
> file as I read from the logs.
>
> Yours,
>
_______________________________________________
List info: http://lists.roundcube.net/users/

Reply via email to