Short Name |
HTTP:MISC:ROUNDCUBE-IMAP-CMD-IN |
---|---|
Severity |
Major |
Recommended |
Yes |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
Roundcube Webmail Archive IMAP Command Injection |
Release Date |
2018/04/24 |
Update Number |
3058 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
An IMAP command injection vulnerability has been reported in Roundcube Webmail. The vulnerability is due to improper handling of the "_uid" parameter within certain HTTP requests. A remote attacker can exploit this vulnerability by enticing an authenticated user to visit a page which sends a request to the targeted server acting as the target user. Successful exploitation could lead to arbitrary MX (IMAP) injection on the target server.
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.