A remotely exploitable code injection vulnerability has been found in the RoundCube Webmail browser-based multilingual IMAP client due to insufficient sanitization of certain HTML tags. A remote attacker could use this flaw to potentially inject and execute arbitrary code via HTML POST form request with specially-crafted HTML tags. References: http://trac.roundcube.net/ticket/1485618 http://trac.roundcube.net/changeset/2148
This issue affects all versions of the roundcubemail package, as shipped with Fedora releases of 8, 9 and 10. Please apply the above patch and update.
roundcubemail-0.2-4.beta.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/roundcubemail-0.2-4.beta.fc10
roundcubemail-0.2-4.beta.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/roundcubemail-0.2-4.beta.fc9
roundcubemail-0.2-4.beta.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/roundcubemail-0.2-4.beta.fc8
roundcubemail-0.2-4.beta.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
roundcubemail-0.2-4.beta.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
roundcubemail-0.2-4.beta.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5619 to this vulnerability: html2text.php in RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5619 http://trac.roundcube.net/ticket/1485618 http://sourceforge.net/forum/forum.php?forum_id=898542 http://trac.roundcube.net/changeset/2148 https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00783.html https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00802.html http://www.openwall.com/lists/oss-security/2008/12/12/1 http://secunia.com/advisories/33170