Signature Detail

HTTP: Roundcube Webmail Archive IMAP Command Injection

An IMAP command injection vulnerability has been reported in Roundcube Webmail. The vulnerability is due to improper handling of the "_uid" parameter within certain HTTP requests. A remote attacker can exploit this vulnerability by enticing an authenticated user to visit a page which sends a request to the targeted server acting as the target user. Successful exploitation could lead to arbitrary MX (IMAP) injection on the target server.

Extended Description

In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.

Affected Products

• Debian debian_linux 9.0
• Roundcube webmail 1.2.0
• Roundcube webmail 1.2.1
• Roundcube webmail 1.2.10
• Roundcube webmail 1.2.11
• Roundcube webmail 1.2.2
• Roundcube webmail 1.2.3
• Roundcube webmail 1.2.4
• Roundcube webmail 1.2.5
• Roundcube webmail 1.2.6
• Roundcube webmail 1.2.7
• Roundcube webmail 1.2.8
• Roundcube webmail 1.2.9
• Roundcube webmail 1.3
• Roundcube webmail 1.3.0
• Roundcube webmail 1.3.1
• Roundcube webmail 1.3.2
• Roundcube webmail 1.3.3
• Roundcube webmail 1.3.4
• Roundcube webmail 1.3.5

References

• CVE: CVE-2018-9846