Yes, we're aware of that and the security issue has been fixed back in December: http://lists.roundcube.net/mail-archive/users/2008-12/0000021.html
Also the 0.2-stable as well as the latest 0.2.1 release are not vulnerable to this anymore. ~Thomas Zbigniew Szalbot wrote: > Hello, > > Not sure if this is new to you but > > 213.96.25.30 - - [05/Mar/2009:19:22:14 +0100] "POST > /roundcube/bin/html2text.php HTTP/1.0" 406 > > and as a result a non-empty directory /tmp/guestbook.ntr/ is created > and a file /tmp/guestbook.php (which then causes issues with the > operating system). > > This html2text.php file has been used by an attacker on my system (at > least I think so). I have removed roundcube from my system and since > then I have had no trouble, although they have been scanning for this > file as I read from the logs. > > Yours, > _______________________________________________ List info: http://lists.roundcube.net/users/
