The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

zero-day vulnerability in latest versions of roundcube

Discussion in 'Security' started by nrm, Mar 27, 2013.

  1. nrm

    nrm Member
    PartnerNOC

    Joined:
    Jan 11, 2007
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Moscow, Russia
  2. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    +1 for this , hope they will take action really fast and not the common slow-style.
     
  3. alphawolf50

    alphawolf50 Well-Known Member

    Joined:
    Apr 28, 2011
    Messages:
    186
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    ***EDIT***
    You can do this as the "simple" work around, but it likely breaks a user's ability to save their preferences. If you want the actual fix,, use the instructions in my next post instead:
    http://forums.cpanel.net/f185/zero-...st-versions-roundcube-334112.html#post1355622
    ***End Edit***


    While you wait for an update, the workaround on the page you linked is easy enough to apply. You just need to edit this file:

    Code:
    /usr/local/cpanel/base/3rdparty/roundcube/index.php
    Navigate to about line 261. You should be looking at a block of code that looks like this:

    Code:
    else if ($RCMAIL->action == 'save-pref') {
      include INSTALL_PATH . 'program/steps/utils/save_pref.inc';
    }
    Change it so that it looks like this:

    Code:
    else if ($RCMAIL->action == 'save-pref') {
      //include INSTALL_PATH . 'program/steps/utils/save_pref.inc';
      echo "Oops";
      die;
    }
    All we did was add '//' in front of the line that starts with "include", and then add two more lines below it.
    Save that file. Problem solved!
     
    #3 alphawolf50, Mar 28, 2013
    Last edited: Mar 28, 2013
  4. alphawolf50

    alphawolf50 Well-Known Member

    Joined:
    Apr 28, 2011
    Messages:
    186
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    The workaround above does prevent the hack, but I'm pretty sure it disables a user's ability to save their preferences. I just looked over the Roundcube 0.8.6 files, and this is what they did to fix the vulnerability:

    1. Open this file:
      Code:
      /usr/local/cpanel/base/3rdparty/roundcube/program/steps/utils/save_pref.inc
    2. Look for these two lines:
      Code:
      $name = get_input_value('_name', RCUBE_INPUT_POST);
      $value = get_input_value('_value', RCUBE_INPUT_POST);
      
    3. Add this code directly below it:
      Code:
      $whitelist = array(
          'preview_pane',
          'list_cols',
          'collapsed_folders',
          'collapsed_abooks',
      );
      
      if (!in_array($name, array_merge($whitelist, $RCMAIL->plugins->allowed_prefs))) {
          raise_error(array('code' => 500, 'type' => 'php',
              'file' => __FILE__, 'line' => __LINE__,
              'message' => sprintf("Hack attempt detected (user: %s)", $_SESSION['username'])),
              true, false);
      
          $OUTPUT->reset();
          $OUTPUT->send();
      }
      
    4. Save the file. Problem solved... properly!
     
  5. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    The Roundcube devs put a patch file up should anyone who is currently on 0.8.5 want to update themselves.

    Roundcube Webmail - Browse /roundcubemail/0.8.5 at SourceForge.net

    My guess is that since this it's an official patch, it probably doesn't break anything. This patch modifies four files, save_pref.inc and three others.

    M
     
    #5 mtindor, Mar 28, 2013
    Last edited: Mar 28, 2013
  6. Lik

    Lik Member
    PartnerNOC

    Joined:
    Dec 9, 2008
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    Propose the following quick workaround to apply upstream patch on cPanel server:

    Code:
    wget -O /usr/local/cpanel/src/3rdparty/gpl/patches/roundcube/0004-save-pref-0day.patch "http://downloads.sourceforge.net/project/roundcubemail/roundcubemail/0.8.5/save_prefs_vulnerability_fix_0.8.patch"
    /usr/local/cpanel/bin/update-roundcube --force
    
    May be paranoid, but to be sure that custom patch will not break anything after cPanel update in future it`s safe to remove it:

    Code:
    rm -fv /usr/local/cpanel/src/3rdparty/gpl/patches/roundcube/0004-save-pref-0day.patch
     
    #6 Lik, Mar 28, 2013
    Last edited: Mar 28, 2013
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Are you saying that executing "/usr/local/cpanel/bin/update-roundcube --force" will automatically apply the downloaded patch? I wasn't aware of that.

    M

     
  8. Lik

    Lik Member
    PartnerNOC

    Joined:
    Dec 9, 2008
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Yep, patch is applied.

     
  9. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    It was very nice of you to provide those easy-to-follow instructions for everyone. I had already manually patched mine (by editing all of the necesssary files), but I went through and did it this way now since it's a lot cleaner and I can be sure it was applied properly.

    Thanks

    m
     
  10. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Thanks for the patch Lik. Hope to see this in upcp soon.
     
  11. Lik

    Lik Member
    PartnerNOC

    Joined:
    Dec 9, 2008
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Just updated my initial post with removal of custom patch after RoundCube update in order to be in the safe side in nearest future.

    And yes, awaiting cPanel staff to bump RoundCube version as a long term solution.
     
  12. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    We will be publishing updates to 11.36 and 11.34 soon to resolve this. I believe 11.32 is also on the list to be updated.
     
  13. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello,

    An update with an official patch will be happening shortly for 11.36, 11.34 and 11.32 for Roundcube. Until that time, if you have used any other method to add a patch, please remove it, since it could override our patch and does not necessarily handle the security issue properly without breaking other functionality depending on which patch you might have used.

    We do have documentation online on an alternative method until the patch release into each of the cPanel extant versions:

    Patch Your RoundCube Installation

    Thanks!
     
  14. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    That "Patch Your Roundcube Installation" link doesn't work. The most recent patch that Lik posted above was directly from Roundcube and worked just fine for me. I think I'll leave it in place until a patched version can immediately be deployed to my servers with a cPanel update. Better to be safe than sorry. If one follows Lik's instructions completely, there is nothing residual to be interfere with any cPanel update down the road.

    Mike
     
  15. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You might have to refresh the link a few times. It's syncing out to the documentation servers when I posted it, so there might be some that haven't picked up the link yet. It is working for me, but one of the times I refreshed it wasn't found, so I'd suggest refreshing a couple of times.

    I understand if you used the Roundcube site patch itself waiting until our version has been deployed on the various tiers and versions.
     
  16. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Thanks, Tristan.

    Mike
     
  17. _El_Chojin_

    _El_Chojin_ Member

    Joined:
    May 22, 2009
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    when i execute the first patch i get the following:

    Reversed (or previously applied) patch detected! Assume -R? [n]

    This means that cpanel has executed the patch? because i didn't executed it manually before.
     
  18. mikem91

    mikem91 Registered

    Joined:
    Nov 10, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    As a precaution, I've disabled Roundcube under Tweak Settings. Will there be a notice when the patch is pushed out so I know when to enable it again?
     
  19. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
Loading...

Share This Page