Security Alert: RoundCubeMail
ATTENTION: All server administrators using RoundCubeMail as their MailServer interface.
ISSUE of RoundCubeMail:
We have found multiple vulnerabilities and corrected them in RoundCubeMail:
The login form
In Roundcube Webmail before 0.5.1, a correctly authenticated but accidental login attempt is not appropriately handled. Therefore, by arranging for a victim to log in, this makes it simpler for remote authenticated users to get critical information. Write an email message referencing a login CSRF vulnerability to the attacker’s account next (CVE-2011-1491).
Before version 0.5.1 of Roundcube Webmail, it was improperly verified whether a request was for an external Cascading Style Sheet (CSS) stylesheet. CSS stylesheets give remote, authenticated users the ability to direct the server to open any number of outbound TCP connections. Additionally, it might obtain private information through a carefully constructed request. (CVE-2011-1492).
Cross-site scripting (XSS)
In Roundcube Webmail, a vulnerability in UI messages before 0.5.4 allows remote attackers to inject arbitrary web scripts or HTML via the _mbox parameter to the default URI (CVE-2011-2937).
Include/iniset.php in Roundcube Webmail
In Roundcube Webmail 0.5.4 and earlier, when using PHP 5.3.7 or 5.3.8, remote attackers can trigger a GET request for an arbitrary URL. This causes a denial of service (resource consumption and inbox interruption) via a subject header containing only one URL, a related issue to CVE-2011-3379 (CVE-2011-4078).
RESOLUTION To RoundCubeMail Issue:
Upgrade the RoundCube Webmail to version 0.7.2