Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 26 Oct 2011 08:26:50 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- Round Cube Webmail -- DoS (unavailability
 to access user's INBOX) after receiving an email message with the URL in
 the Subject

On 10/26/2011 07:14 AM, Jan Lieskovsky wrote:
> Hello Josh, Steve, vendors,
>
>   a security flaw was found in the way Round Cube Webmail,
> a browser-based multilingual IMAP client, processed certail
> email-messages containing URL link in the message Subject,
> when the Suhosin check for dangerous PHP files inclusion
> was enabled. A remote attacker could send a specially-crafted
> email message to the victim, leading to denial of service
> (situation, where victim could not open their mail INBOX
> folder with the crafted email message present).
>
> References:
> [1] http://trac.roundcube.net/ticket/1488086
> [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646675
> [3] https://bugs.php.net/bug.php?id=55475
>
> Note: This is a strange one. The original source of the issue
>       seems to be PHP-Pear is_a() routine autoload bug:
>       https://bugs.php.net/bug.php?id=55475
>
>       and truly this deficiency might affect another package,
>       than roundcubemail (php-pear-MDB2 in Fedora case).
>
>       But it is a combination of this php-pear-MDB2 deficiency,
>       roundcube's handling of is_a() routine and Suhosin's
>       check for dangerous *.php files inclusion, which in
>       result might lead into situation, where valid roundcubemail
>       user couldn't access their INBOX just for some email
>       message being present in it.
>
>       In short, not sure if the CVE id should be assigned to
>       the PHP PEAR bug or to the roundcubemail package.
>
> Could you allocate a CVE id for this?
>
> Thank you && Regards, Jan.
> -- 
> Jan iankko Lieskovsky / Red Hat Security Response Team

Please use CVE-2011-4078 for this issue

-- 

-Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ