Detections
Analytics

RoundCube Webmail bin/html2text.php Post Request Remote PHP Code Execution

high Nessus Plugin ID 35273

Language:

Synopsis

The remote web server contains a PHP script that allows execution of arbitrary commands.

Description

The remote host is running RoundCube Webmail, a web-based IMAP client written in PHP.

The version of RoundCube Webmail installed on the remote host allows execution of arbitrary commands via the embedded html2text conversion library from chuggnutt.com. Using a specially crafted POST request, an unauthenticated, remote attacker can leverage this issue to execute arbitrary PHP code on the affected host subject to the privileges under which the web server operates.

Solution

Upgrade to RoundCube Webmail 0.2-beta2 or apply the 0.2-beta patch referenced in the forum posting above.

See Also

http://trac.roundcube.net/ticket/1485618

https://www.securityfocus.com/archive/1/499489/30/0/threaded

Plugin Details

Severity: High

ID: 35273

File Name: roundcube_html2text_cmd_exec.nasl

Version: 1.22

Type: remote

Family: CGI abuses

Published: 12/26/2008

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:roundcube:webmail

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Exploited by Nessus: true

Exploitable With

CANVAS (CANVAS)

Core Impact

Elliot (Roundcube 0.2beta RCE)

Reference Information

CVE: CVE-2008-5619

BID: 32799

CWE: 94