Dear community,
Lately, some of users reported us a security issue that has been discovered in the Roubdcube Webmail and asked us if our Roundcube package is affected as well.
Our official answer
The Roundcube version that is provided by our package is also affected but the Roundcube installations as provided by this package are not impacted by the security hole. Indeed, one of the requirement to exploit the security hole is that Roundcube is configured to send mails using the PHP mail() function. That is not the case with Roundcube as provided by our package. Indeed, mails are send through local smtp server (Postfix). This can be easily affirmed by reading the Roundcube configuration file:
- ...
- // SMTP server host (for sending mails).
- // To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
- // If left blank, the PHP mail() function is used
- // Supported replacement variables:
- // %h - user's IMAP hostname
- // %n - hostname ($_SERVER['SERVER_NAME'])
- // %t - hostname without the first part
- // %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
- // %z - IMAP domain (IMAP hostname without the first part)
- // For example %n = mail.domain.tld, %t = domain.tld
- #$config['smtp_server'] = 'smtp.{BASE_SERVER_VHOST}';
- $config['smtp_server'] = 'localhost';
As you can see here, the $config['smtp_server'] is not left blank, meaning that the smtp() PHP function is not involved.
However, even if we are not impacted by this security issue, we will provide an update in the next hours.
See also: