[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- Round Cube Webmail -- DoS (unavailability
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2011-10-26 14:26:50
Message-ID: 4EA818AA.5020907 () redhat ! com
[Download RAW message or body]

On 10/26/2011 07:14 AM, Jan Lieskovsky wrote:
> Hello Josh, Steve, vendors,
>
>   a security flaw was found in the way Round Cube Webmail,
> a browser-based multilingual IMAP client, processed certail
> email-messages containing URL link in the message Subject,
> when the Suhosin check for dangerous PHP files inclusion
> was enabled. A remote attacker could send a specially-crafted
> email message to the victim, leading to denial of service
> (situation, where victim could not open their mail INBOX
> folder with the crafted email message present).
>
> References:
> [1] http://trac.roundcube.net/ticket/1488086
> [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646675
> [3] https://bugs.php.net/bug.php?id=55475
>
> Note: This is a strange one. The original source of the issue
>       seems to be PHP-Pear is_a() routine autoload bug:
>       https://bugs.php.net/bug.php?id=55475
>
>       and truly this deficiency might affect another package,
>       than roundcubemail (php-pear-MDB2 in Fedora case).
>
>       But it is a combination of this php-pear-MDB2 deficiency,
>       roundcube's handling of is_a() routine and Suhosin's
>       check for dangerous *.php files inclusion, which in
>       result might lead into situation, where valid roundcubemail
>       user couldn't access their INBOX just for some email
>       message being present in it.
>
>       In short, not sure if the CVE id should be assigned to
>       the PHP PEAR bug or to the roundcubemail package.
>
> Could you allocate a CVE id for this?
>
> Thank you && Regards, Jan.
> -- 
> Jan iankko Lieskovsky / Red Hat Security Response Team

Please use CVE-2011-4078 for this issue

-- 

-Kurt Seifried / Red Hat Security Response Team

[prev in list] [next in list] [prev in thread] [next in thread]