[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request -- Round Cube Webmail -- DoS (unavailability
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2011-10-26 14:26:50
Message-ID: 4EA818AA.5020907 () redhat ! com
[Download RAW message or body]
On 10/26/2011 07:14 AM, Jan Lieskovsky wrote:
> Hello Josh, Steve, vendors,
>
> a security flaw was found in the way Round Cube Webmail,
> a browser-based multilingual IMAP client, processed certail
> email-messages containing URL link in the message Subject,
> when the Suhosin check for dangerous PHP files inclusion
> was enabled. A remote attacker could send a specially-crafted
> email message to the victim, leading to denial of service
> (situation, where victim could not open their mail INBOX
> folder with the crafted email message present).
>
> References:
> [1] http://trac.roundcube.net/ticket/1488086
> [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646675
> [3] https://bugs.php.net/bug.php?id=55475
>
> Note: This is a strange one. The original source of the issue
> seems to be PHP-Pear is_a() routine autoload bug:
> https://bugs.php.net/bug.php?id=55475
>
> and truly this deficiency might affect another package,
> than roundcubemail (php-pear-MDB2 in Fedora case).
>
> But it is a combination of this php-pear-MDB2 deficiency,
> roundcube's handling of is_a() routine and Suhosin's
> check for dangerous *.php files inclusion, which in
> result might lead into situation, where valid roundcubemail
> user couldn't access their INBOX just for some email
> message being present in it.
>
> In short, not sure if the CVE id should be assigned to
> the PHP PEAR bug or to the roundcubemail package.
>
> Could you allocate a CVE id for this?
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
Please use CVE-2011-4078 for this issue
--
-Kurt Seifried / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic