RoundCube Multiple Vulnerabilities Fixed by 1.1.2 and 1.0.6


Description   A vulnerability have been identified in Roundcube.
- CVE-2015-1433 : cross-site scripting. A remote attacker can exploit it by inserting JavaScript or HTML arbitrary code into the body of a mail which will be executed in victim's browser. This vulnerability work only on Google Chrome browser.
- CVE-2015-5381: cross-site scripting. A remote attacker can exploit it by appending specially crafted JavaScript code to the "_mbox" parameter in order to steal victim cookies or extract email-content
- CVE-2015-5382: information disclosure. A remote and authenticated attacker can exploit it by downloading a vCard using a specially crafted POST request in order to potentially read unauthorized data. This vulnerability is located in the "photo.inc" source file
- CVE-2015-5383: information disclosure. A remote attacker can exploit it by acceding "webroot/logs/" directory in order to get sensible informations. This vulnerability is due to bad permission handling on log files
Proofs of concept are available (CVE-2015-5381, CVE-2015-5382).
Updated, 07/07/2015:
roundcube packages provided by Debian Squeeze 6 and Wheezy 7 are vulnerable (CVE-2015-1433).
roundcube packages provided by FreeBSD are vulnerable (CVE-2015-5381, CVE-2015-5383).
     
Vulnerable Products   Vulnerable OS:
Fedora (Red Hat) - 21, 22FreeBSD (FreeBSD)GNU/Linux (Debian) - 6, 7openSUSE (SUSE) - 13.2Vulnerable Software:
     
Solution   Fixed roundcubemail packages for Fedora 21 and 22 are available (CVE-2015-5381, CVE-2015-5382, CVE-2015-5383).
     
CVE   CVE-2015-5383
CVE-2015-5382
CVE-2015-5381
CVE-2015-1433
     
References   - Roundcube : Updates 1.1.2 and 1.0.6 released
https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/
openSUSE-SU-2015:1155-1 : Security update for roundcubemail
http://lists.opensuse.org/opensuse-updates/2015-06/msg00062.html
VUXML : roundcube
multiple vulnerabilities
http://www.vuxml.org/freebsd/038a5808-24b3-11e5-b0c8-bf4d8935d4fa.html
Debian Security Tracker : roundcube
https://security-tracker.debian.org/tracker/CVE-2015-1433
- FEDORA-2015-11469 : Fedora 21 Update: roundcubemail-1.1.2-1.fc21
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162542.html
FEDORA-2015-11405 : Fedora 22 Update: roundcubemail-1.1.2-1.fc22
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162461.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'meta' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL
3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL
3.2.0
XSS - Phishing : suspicious 'div' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL
3.2.0
XSS - Prevention - GET : suspicious 'img' tag found in URL
3.2.0
XSS - Phishing : suspicious 'a' tag found in URL
3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL
3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL
3.2.0
XSS - Phishing : suspicious 'form' tag found in URL
3.2.0
XSS - Prevention - GET : javascript code found in URL
3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL
3.2.0
XSS - Phishing : suspicious 'link' tag found in URL
3.2.0
XSS - Prevention - GET : 'script' tag found in URL
3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL
3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL
3.2.0
Roundcube arbitrary file read
5.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2015-06-05 

 Target Type 
Server 

 Possible exploit 
Remote