roundcubemail: remote code execution

High-Tech Bridge Security Research Lab discovered a path traversal
vulnerability in Roundcube. Vulnerability can be exploited to gain
access to sensitive information and under certain circumstances to
execute arbitrary code and totally compromise the vulnerable server.

The vulnerability exists due to insufficient sanitization of "_skin"
HTTP POST parameter in "/index.php" script when changing between
different skins of the web application. A remote authenticated attacker
can use path traversal sequences (e.g. "…/…/") to load a new skin from
arbitrary location on the system, readable by the webserver.

Exploitation of the vulnerability requires valid user credentials and
ability to create files on vulnerable host.