Bug 1566743 (CVE-2018-9846)

Summary: CVE-2018-9846 roundcubemail: MX injection in archive.php
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, kevin, mhlavink
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 19:59:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1566744    
Bug Blocks:    

Description Laura Pardo 2018-04-12 22:34:39 UTC 
A flaw was found in Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.


References:
https://github.com/roundcube/roundcubemail/issues/6229
https://github.com/roundcube/roundcubemail/issues/6238
https://medium.com/@ndrbasi/cve-2018-9846-roundcube-303097048b0a

Patch:
https://github.com/roundcube/roundcubemail/commit/e3dd5b66d236867572e68fcb80281e9268a0cfb0
Comment 1 Laura Pardo 2018-04-12 22:36:31 UTC 
Created roundcubemail tracking bugs for this issue:

Affects: epel-all [bug 1566744]