Roundcube - Important Security Issue

  • Dear community,


    Lately, some of users reported us a security issue that has been discovered in the Roubdcube Webmail and asked us if our Roundcube package is affected as well.


    Our official answer


    The Roundcube version that is provided by our package is also affected but the Roundcube installations as provided by this package are not impacted by the security hole. Indeed, one of the requirement to exploit the security hole is that Roundcube is configured to send mails using the PHP mail() function. That is not the case with Roundcube as provided by our package. Indeed, mails are send through local smtp server (Postfix). This can be easily affirmed by reading the Roundcube configuration file:



    As you can see here, the $config['smtp_server'] is not left blank, meaning that the smtp() PHP function is not involved.


    However, even if we are not impacted by this security issue, we will provide an update in the next hours.



    See also:

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Dear community,


    A new version of the Roundcube package for i-MSCP is now available (Roundcube version 1.2.3). You can update as usually by running the following command:


    Shell-Script
    1. # perl /var/www/imscp/engine/setup/imscp-reconfigure -d

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • I have just one system left which is running IMSCP 1.1.18

    Code
    1. $rcmail_config['smtp_server'] = 'smtp.admin.host1.mydomain.com';

    can I use localhost as a quick fix or does it not work with this version?

    Edited 2 times, last by fulltilt ().

  • @fulltilt


    Your current value smtp.admin.host1.globe.lu is ok too.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206