The vulnerability exists in Roundcube 1.2.2 and earlier versions, is rated as highly critical, and is easy relatively easy to exploit.
The vulnerability exists in Roundcube 1.2.2 and earlier versions, is rated as highly critical, and is easy relatively easy to exploit.

RIPS Technologies researchers spotted a command execution vulnerability in Roundcube open source webmail software which could allow an attacker to run arbitrary code on the host's operating system.

The vulnerability exists in Roundcube 1.2.2 and earlier versions, is rated as highly critical, and is easy relatively easy to exploit, according to a Dec. 6 blog post. In order to exploit the vulnerability Roundcube must be configured to use PHP's mail() function, the PHP's mail() function must be configured to use sendmail, PHP must be configured to have safe_mode turned off, and an attacker must know or guess the absolute path of the webroot.

The flaw is the result of insufficient sanitization of user input in the fifth parameter of PHP mail which allows an attacker to execute arbitrary commands on the underlying operating system by writing an email.

“The attack scenario for this vulnerability is fairly straightforward and quite trivial,” Tripwire Security Research and Software Development Engineer Lane Thames told SC Media via emailed comments. “Malicious actors just need to find servers running the vulnerable Roundcube software and simply construct an email message to a user of the email server with two specially crafted email fields.”

While open source platforms like Roundcube offer great benefits, it's important to hire security experts to evaluate the open source code before deployment and perform penetration testing afterwards to ensure that it is secure, he said.

“Organizations should also be mindful of a given open source software's upgrade process and, in particular, its methodology for handling updates for security related bugs that are found: do they offer a formal security bulletin? How do they communicate to the community when security bugs are found, etc,” Thames said.

The flaw has already been fixed on Github and a patch was issued a day after Roundcube learned of the flaw. Administrators are urged to update the Roundcube installation to the latest version 1.2.3 as soon as possible.