RoundCube Multiple Vulnerabilities Fixed by 1.1.3


Description   (#Several vulnerabilities were reported in RoundCube:#- CVE-2015-8105: cross-site scripting located in the drag-n-drop file upload feature##- directory traversal allowing an attacker to access content of subdirectories "bin", "logs", "config" dans "temp" of the application. This vulnerability stems from allowed access in the roundcube configuration file for Apache "/etc/apache2/conf.d/roundcubemail.conf"###)
     
Vulnerable Products   Vulnerable OS:
openSUSE (SUSE) - 13.1, 13.2, 42.1
     
Solution   Fixed roundcubemail packages for openSUSE Leap 42.1 are available.
     
CVE   CVE-2015-8105
     
References   - RoundCube : Updates 1.1.3 and 1.0.7 released
http://roundcube.net/news/2015/09/14/updates-1.1.3-and-1.0.7-released/
- openSUSE-SU-2015:1904-1 : Security update for roundcubemail
http://lists.opensuse.org/opensuse-updates/2015-11/msg00030.html
- openSUSE-SU-2015:1945-1 : Security update for roundcubemail
http://lists.opensuse.org/opensuse-updates/2015-11/msg00053.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Misc : Directory traversal - parameter starting with ../
3.2.0
Directory traversal using ..\..
3.2.0
Directory traversal
3.2.0
Directory traversal backward root folder
3.2.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2015-09-14 

 Target Type 
Server 

 Possible exploit 
Remote