Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Roundcube Webmail Issues

Reader Nathan sent us an update on a vulnerability in Roundcube's html2text.php.  He said that the exploit is being seen in the wild and that it works.  Roundcube is a PHP powered webmail solution which many prefer over Squirrelmail.

Nathan said that it was fixed on 12/12/2008, and an official release was on 12/16/2008,  He also suggested that readers consider Suhosin, mod_chroot, and the below PHP.ini settings:

allow_url_include = Off
allow_url_fopen = Off
session.use_only_cookies = 1
session.cookie_httponly = 1
expose_php = Off
display_errors = Off
register_globals = Off
disable_functions = phpinfo

Thanks for the information and the links Nathan!

Marcus H. Sachs
Director, SANS Internet Storm Center


301 Posts
ISC Handler
Dec 26th 2008

Sign Up for Free or Log In to start participating in the conversation!