Arch Linux Security Advisory ASA-201804-8

Severity: High
Date : 2018-04-19
CVE-ID : CVE-2018-9846
Package : roundcubemail
Type : arbitrary command execution
Remote : Yes
Link : https://security.archlinux.org/AVG-670

Summary

The package roundcubemail before version 1.3.6-1 is vulnerable to
arbitrary command execution.

Resolution

Upgrade to 1.3.6-1.

pacman -Syu “roundcubemail>=1.3.6-1”

The problem has been fixed upstream in version 1.3.6.

Workaround

Disable the archive plugin.

Description

In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin
enabled and configured, it’s possible to exploit the unsanitized, user-
controlled “_uid” parameter (in an archive.php
_task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform
an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a
sequence. NOTE: this is less easily exploitable in 1.3.4 and later
because of a Same Origin Policy protection mechanism.

Impact

A remote attacker is able to execute arbitrary IMAP commands via a
specially crafted url.

References

https://github.com/roundcube/roundcubemail/issues/6229
https://github.com/roundcube/roundcubemail/issues/6238
https://medium.com/@ndrbasi/cve-2018-9846-roundcube-303097048b0a
https://roundcube.net/news/2018/04/11/security-update-1.3.6
https://security.archlinux.org/CVE-2018-9846