***EDIT***
You can do this as the "simple" work around, but it likely breaks a user's ability to save their preferences. If you want the actual fix,, use the instructions in my next post instead:
http://forums.cpanel.net/f185/zero-...st-versions-roundcube-334112.html#post1355622
***End Edit***
While you wait for an update, the workaround on the page you linked is easy enough to apply. You just need to edit this file:
Code:
/usr/local/cpanel/base/3rdparty/roundcube/index.php
Code:
else if ($RCMAIL->action == 'save-pref') {
include INSTALL_PATH . 'program/steps/utils/save_pref.inc';
}
Code:
else if ($RCMAIL->action == 'save-pref') {
//include INSTALL_PATH . 'program/steps/utils/save_pref.inc';
echo "Oops";
die;
}Save that file. Problem solved!
Last edited:
The workaround above does prevent the hack, but I'm pretty sure it disables a user's ability to save their preferences. I just looked over the Roundcube 0.8.6 files, and this is what they did to fix the vulnerability:
- Open this file:
Code:
/usr/local/cpanel/base/3rdparty/roundcube/program/steps/utils/save_pref.inc - Look for these two lines:
Code:
$name = get_input_value('_name', RCUBE_INPUT_POST); $value = get_input_value('_value', RCUBE_INPUT_POST); - Add this code directly below it:
Code:
$whitelist = array( 'preview_pane', 'list_cols', 'collapsed_folders', 'collapsed_abooks', ); if (!in_array($name, array_merge($whitelist, $RCMAIL->plugins->allowed_prefs))) { raise_error(array('code' => 500, 'type' => 'php', 'file' => __FILE__, 'line' => __LINE__, 'message' => sprintf("Hack attempt detected (user: %s)", $_SESSION['username'])), true, false); $OUTPUT->reset(); $OUTPUT->send(); } - Save the file. Problem solved... properly!
The Roundcube devs put a patch file up should anyone who is currently on 0.8.5 want to update themselves.
Roundcube Webmail - Browse /roundcubemail/0.8.5 at SourceForge.net
My guess is that since this it's an official patch, it probably doesn't break anything. This patch modifies four files, save_pref.inc and three others.
M
Roundcube Webmail - Browse /roundcubemail/0.8.5 at SourceForge.net
My guess is that since this it's an official patch, it probably doesn't break anything. This patch modifies four files, save_pref.inc and three others.
M
Last edited:
Hello,
Propose the following quick workaround to apply upstream patch on cPanel server:
May be paranoid, but to be sure that custom patch will not break anything after cPanel update in future it`s safe to remove it:
Propose the following quick workaround to apply upstream patch on cPanel server:
Code:
wget -O /usr/local/cpanel/src/3rdparty/gpl/patches/roundcube/0004-save-pref-0day.patch "http://downloads.sourceforge.net/project/roundcubemail/roundcubemail/0.8.5/save_prefs_vulnerability_fix_0.8.patch"
/usr/local/cpanel/bin/update-roundcube --force
Code:
rm -fv /usr/local/cpanel/src/3rdparty/gpl/patches/roundcube/0004-save-pref-0day.patch
Last edited:
We will be publishing updates to 11.36 and 11.34 soon to resolve this. I believe 11.32 is also on the list to be updated.
Hello,
An update with an official patch will be happening shortly for 11.36, 11.34 and 11.32 for Roundcube. Until that time, if you have used any other method to add a patch, please remove it, since it could override our patch and does not necessarily handle the security issue properly without breaking other functionality depending on which patch you might have used.
We do have documentation online on an alternative method until the patch release into each of the cPanel extant versions:
Patch Your RoundCube Installation
Thanks!
An update with an official patch will be happening shortly for 11.36, 11.34 and 11.32 for Roundcube. Until that time, if you have used any other method to add a patch, please remove it, since it could override our patch and does not necessarily handle the security issue properly without breaking other functionality depending on which patch you might have used.
We do have documentation online on an alternative method until the patch release into each of the cPanel extant versions:
Patch Your RoundCube Installation
Thanks!
That "Patch Your Roundcube Installation" link doesn't work. The most recent patch that Lik posted above was directly from Roundcube and worked just fine for me. I think I'll leave it in place until a patched version can immediately be deployed to my servers with a cPanel update. Better to be safe than sorry. If one follows Lik's instructions completely, there is nothing residual to be interfere with any cPanel update down the road.
Mike
You might have to refresh the link a few times. It's syncing out to the documentation servers when I posted it, so there might be some that haven't picked up the link yet. It is working for me, but one of the times I refreshed it wasn't found, so I'd suggest refreshing a couple of times.
I understand if you used the Roundcube site patch itself waiting until our version has been deployed on the various tiers and versions.
I understand if you used the Roundcube site patch itself waiting until our version has been deployed on the various tiers and versions.
when i execute the first patch i get the following:
Reversed (or previously applied) patch detected! Assume -R? [n]
This means that cpanel has executed the patch? because i didn't executed it manually before.
Reversed (or previously applied) patch detected! Assume -R? [n]
This means that cpanel has executed the patch? because i didn't executed it manually before.
Infopro
Well-Known Member
This might be helpful to post here I think:
cPanel & WHM Security Releases for 11.32, 11.34, and 11.36 - cPanel Forums
cPanel & WHM Security Releases for 11.32, 11.34, and 11.36 - cPanel Forums
