zero-day vulnerability in latest versions of roundcube

alphawolf50

Well-Known Member
Apr 28, 2011
186
2
68
cPanel Access Level
Root Administrator
Details: #1489021 (Possible exploit)

Can you update roundcube as quickly as possible?
***EDIT***
You can do this as the "simple" work around, but it likely breaks a user's ability to save their preferences. If you want the actual fix,, use the instructions in my next post instead:
http://forums.cpanel.net/f185/zero-...st-versions-roundcube-334112.html#post1355622
***End Edit***


While you wait for an update, the workaround on the page you linked is easy enough to apply. You just need to edit this file:

Code:
/usr/local/cpanel/base/3rdparty/roundcube/index.php
Navigate to about line 261. You should be looking at a block of code that looks like this:

Code:
else if ($RCMAIL->action == 'save-pref') {
  include INSTALL_PATH . 'program/steps/utils/save_pref.inc';
}
Change it so that it looks like this:

Code:
else if ($RCMAIL->action == 'save-pref') {
  //include INSTALL_PATH . 'program/steps/utils/save_pref.inc';
  echo "Oops";
  die;
}
All we did was add '//' in front of the line that starts with "include", and then add two more lines below it.
Save that file. Problem solved!
 
Last edited:

alphawolf50

Well-Known Member
Apr 28, 2011
186
2
68
cPanel Access Level
Root Administrator
The workaround above does prevent the hack, but I'm pretty sure it disables a user's ability to save their preferences. I just looked over the Roundcube 0.8.6 files, and this is what they did to fix the vulnerability:

  1. Open this file:
    Code:
    /usr/local/cpanel/base/3rdparty/roundcube/program/steps/utils/save_pref.inc
  2. Look for these two lines:
    Code:
    $name = get_input_value('_name', RCUBE_INPUT_POST);
    $value = get_input_value('_value', RCUBE_INPUT_POST);
  3. Add this code directly below it:
    Code:
    $whitelist = array(
        'preview_pane',
        'list_cols',
        'collapsed_folders',
        'collapsed_abooks',
    );
    
    if (!in_array($name, array_merge($whitelist, $RCMAIL->plugins->allowed_prefs))) {
        raise_error(array('code' => 500, 'type' => 'php',
            'file' => __FILE__, 'line' => __LINE__,
            'message' => sprintf("Hack attempt detected (user: %s)", $_SESSION['username'])),
            true, false);
    
        $OUTPUT->reset();
        $OUTPUT->send();
    }
  4. Save the file. Problem solved... properly!
 

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
The Roundcube devs put a patch file up should anyone who is currently on 0.8.5 want to update themselves.

Roundcube Webmail - Browse /roundcubemail/0.8.5 at SourceForge.net

My guess is that since this it's an official patch, it probably doesn't break anything. This patch modifies four files, save_pref.inc and three others.

M
 
Last edited:

Lik

Member
PartnerNOC
Dec 9, 2008
10
0
51
Hello,

Propose the following quick workaround to apply upstream patch on cPanel server:

Code:
wget -O /usr/local/cpanel/src/3rdparty/gpl/patches/roundcube/0004-save-pref-0day.patch "http://downloads.sourceforge.net/project/roundcubemail/roundcubemail/0.8.5/save_prefs_vulnerability_fix_0.8.patch"
/usr/local/cpanel/bin/update-roundcube --force
May be paranoid, but to be sure that custom patch will not break anything after cPanel update in future it`s safe to remove it:

Code:
rm -fv /usr/local/cpanel/src/3rdparty/gpl/patches/roundcube/0004-save-pref-0day.patch
 
Last edited:

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
Are you saying that executing "/usr/local/cpanel/bin/update-roundcube --force" will automatically apply the downloaded patch? I wasn't aware of that.

M

Hello,

Propose the following quick workaround to apply upstream patch on cPanel server:

Code:
wget -O /usr/local/cpanel/src/3rdparty/gpl/patches/roundcube/0004-save-pref-0day.patch "http://downloads.sourceforge.net/project/roundcubemail/roundcubemail/0.8.5/save_prefs_vulnerability_fix_0.8.patch"
/usr/local/cpanel/bin/update-roundcube --force
 

Lik

Member
PartnerNOC
Dec 9, 2008
10
0
51
Yep, patch is applied.

# /usr/local/cpanel/bin/update-roundcube --force
Roundcube update from 0.8.4.cp3 to 0.8.4.cp3 in progress.
Roundcube will be locked out during this process.
Updating RoundCube (using cPanel version)
info [update-roundcube] Applied patch '0001-Apply-default-values-for-cPanel-webmail-environment.patch'
patching file config/db.inc.php.dist
patching file config/main.inc.php.dist
patching file index.php
patching file program/include/rcube_imap.php
patching file program/include/rcube_imap_generic.php
info [update-roundcube] Applied patch '0002-append-INBOX.-to-avoid-UID-COPY-Unknown-namespace-er.patch'
patching file config/main.inc.php.dist
info [update-roundcube] Applied patch '0003-User-can-select-a-different-skin-when-its-choice-is-.patch'
patching file program/include/rcube_template.php
info [update-roundcube] Applied patch '0004-save-pref-0day.patch'
patching file program/include/rcube_plugin.php
patching file program/include/rcube_plugin_api.php
patching file program/steps/mail/sendmail.inc
patching file program/steps/utils/save_pref.inc
info [update-roundcube] Successfully applied 4 patches
INFO - Applied cPanel patches (if any) to Roundcube source.
Archiving current Roundcube data to /var/cpanel/roundcube/roundcube.backup.sql.1364494007
Roundcube DB successfully archived
-rw------- 1 root root 2155232 Mar 28 18:06 /var/cpanel/roundcube/roundcube.backup.sql.1364494007
Cleaning old Roundcube data archives
Removing old backup: roundcube.backup.sql.1351372952
Schema update to 0.8.4 was successful
 

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
Hello,

Propose the following quick workaround to apply upstream patch on cPanel server:

Code:
wget -O /usr/local/cpanel/src/3rdparty/gpl/patches/roundcube/0004-save-pref-0day.patch "http://downloads.sourceforge.net/project/roundcubemail/roundcubemail/0.8.5/save_prefs_vulnerability_fix_0.8.patch"
/usr/local/cpanel/bin/update-roundcube --force
It was very nice of you to provide those easy-to-follow instructions for everyone. I had already manually patched mine (by editing all of the necesssary files), but I went through and did it this way now since it's a lot cleaner and I can be sure it was applied properly.

Thanks

m
 

Lik

Member
PartnerNOC
Dec 9, 2008
10
0
51
Just updated my initial post with removal of custom patch after RoundCube update in order to be in the safe side in nearest future.

And yes, awaiting cPanel staff to bump RoundCube version as a long term solution.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,608
77
308
cPanel Access Level
Root Administrator
We will be publishing updates to 11.36 and 11.34 soon to resolve this. I believe 11.32 is also on the list to be updated.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
38
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Hello,

An update with an official patch will be happening shortly for 11.36, 11.34 and 11.32 for Roundcube. Until that time, if you have used any other method to add a patch, please remove it, since it could override our patch and does not necessarily handle the security issue properly without breaking other functionality depending on which patch you might have used.

We do have documentation online on an alternative method until the patch release into each of the cPanel extant versions:

Patch Your RoundCube Installation

Thanks!
 

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
Hello,

An update with an official patch will be happening shortly for 11.36, 11.34 and 11.32 for Roundcube. Until that time, if you have used any other method to add a patch, please remove it, since it could override our patch and does not necessarily handle the security issue properly without breaking other functionality depending on which patch you might have used.

We do have documentation online on an alternative method until the patch release into each of the cPanel extant versions:

Patch Your RoundCube Installation

Thanks!
That "Patch Your Roundcube Installation" link doesn't work. The most recent patch that Lik posted above was directly from Roundcube and worked just fine for me. I think I'll leave it in place until a patched version can immediately be deployed to my servers with a cPanel update. Better to be safe than sorry. If one follows Lik's instructions completely, there is nothing residual to be interfere with any cPanel update down the road.

Mike
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
38
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
You might have to refresh the link a few times. It's syncing out to the documentation servers when I posted it, so there might be some that haven't picked up the link yet. It is working for me, but one of the times I refreshed it wasn't found, so I'd suggest refreshing a couple of times.

I understand if you used the Roundcube site patch itself waiting until our version has been deployed on the various tiers and versions.
 

_El_Chojin_

Member
May 22, 2009
21
0
51
when i execute the first patch i get the following:

Reversed (or previously applied) patch detected! Assume -R? [n]

This means that cpanel has executed the patch? because i didn't executed it manually before.
 

mikem91

Registered
Nov 10, 2008
3
0
51
As a precaution, I've disabled Roundcube under Tweak Settings. Will there be a notice when the patch is pushed out so I know when to enable it again?