Bug 541558 (CVE-2009-4076, CVE-2009-4077)

Summary: CVE-2009-4076 CVE-2009-4077 RoundCube Webmail: Multiple CSRF flaws
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: ASSIGNED --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gwync
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 541963    
Bug Blocks:    

Description Jan Lieskovsky 2009-11-26 10:26:50 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4076 to
the following vulnerability:

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail
0.2.2 and earlier allows remote attackers to hijack the authentication
of unspecified users for requests that modify user information via
unspecified vectors, a different vulnerability than CVE-2009-4077.

References:
----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4076
http://trac.roundcube.net/wiki/Changelog
http://jvn.jp/en/jp/JVN72974205/index.html
http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000071.html
http://www.osvdb.org/59661
http://secunia.com/advisories/37235

Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4077 to
the following vulnerability:

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail
0.2.2 and earlier allows remote attackers to hijack the authentication
of unspecified users for requests that send arbitrary emails via
unspecified vectors, a different vulnerability than CVE-2009-4076.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4077
http://trac.roundcube.net/wiki/Changelog
http://jvn.jp/en/jp/JVN75694913/index.html
http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000072.html
http://www.osvdb.org/59661
http://secunia.com/advisories/37235

Comment 1 Jan Lieskovsky 2009-11-26 10:44:28 UTC
Jon, regarding the updates:
---------------------------

1, While in Fedora 11, 12 and rawhide we already ship 0.3-* based
versions of RoundCube Webmail, in F10 latest version is
roundcubemail-0.2.2-2.fc10.

2, Above References records are poor wrt to providing more information
about patches needed. The only track about CSRF issues I found in [A]

Release 0.3-RC1
  ...
  * Use request tokens to protect POST requests from CSRF

[A] http://trac.roundcube.net/wiki/Changelog

3, When searched SVN log for "Release 0.3-RC1" for CSRF related commits,
   found these three:

   i,   r2755 | thomasb | 2009-07-15 11:49:35 +0200 (Wed, 15 Jul 2009) | 1 line

        Use request tokens to protect POST requests from CSFR

   ii,  r2758 | thomasb | 2009-07-16 17:01:05 +0200 (Thu, 16 Jul 2009) | 1 line

        Force ajax calls to protect from CSRF

   iii, r2779 | thomasb | 2009-07-21 18:13:42 +0200 (Tue, 21 Jul 2009) | 1 line

        Also protect GET request from CSRF

which projected into commits gives these URLs:

   i,   http://trac.roundcube.net/changeset/2755
   ii,  http://trac.roundcube.net/changeset/2758
   iii, http://trac.roundcube.net/changeset/2779

And these three seem to be applicable to the latest version of RoundCube
Webmail, as shipped with Fedora 10.

Assuming newer versions (present in F11, F12 and rawhide) will already
contain them.

Didn't check the versions of RoundCube Webmail, as shipped within Extra
Packages for Enterprise Linux 4 (EPEL-4) and 5 (EPEL-5) projects
(these are yet RoundCube Webmail 0.1.1 based), but it's possible some of
the above changes is applicable against them too.

Jon, long story short, could you schedule F10 RoundCube Webmail update
with above three commits?

Thanks, Jan.

Comment 3 Gwyn Ciesla 2009-11-30 19:55:04 UTC
See:

https://admin.fedoraproject.org/updates/roundcubemail-0.2.2-4.fc10?_csrf_token=5d306bc36ec390a9824e793d7dc8511cb0055e61

I'll have a look at EL-5.  RC isn't in EL-4, as it needs PHP5.

Comment 5 Fedora Update System 2009-12-01 18:24:27 UTC
roundcubemail-0.1.1-6.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2009-12-02 04:27:30 UTC
roundcubemail-0.2.2-4.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.