Bug 541558 - (CVE-2009-4076, CVE-2009-4077) CVE-2009-4076 CVE-2009-4077 RoundCube Webmail: Multiple CSRF flaws
CVE-2009-4076 CVE-2009-4077 RoundCube Webmail: Multiple CSRF flaws
Status: ASSIGNED
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=cve,reported=2...
: Security
Depends On: 541963
Blocks:
  Show dependency treegraph
 
Reported: 2009-11-26 05:26 EST by Jan Lieskovsky
Modified: 2016-03-04 06:19 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2009-11-26 05:26:50 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4076 to
the following vulnerability:

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail
0.2.2 and earlier allows remote attackers to hijack the authentication
of unspecified users for requests that modify user information via
unspecified vectors, a different vulnerability than CVE-2009-4077.

References:
----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4076
http://trac.roundcube.net/wiki/Changelog
http://jvn.jp/en/jp/JVN72974205/index.html
http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000071.html
http://www.osvdb.org/59661
http://secunia.com/advisories/37235

Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4077 to
the following vulnerability:

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail
0.2.2 and earlier allows remote attackers to hijack the authentication
of unspecified users for requests that send arbitrary emails via
unspecified vectors, a different vulnerability than CVE-2009-4076.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4077
http://trac.roundcube.net/wiki/Changelog
http://jvn.jp/en/jp/JVN75694913/index.html
http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000072.html
http://www.osvdb.org/59661
http://secunia.com/advisories/37235
Comment 1 Jan Lieskovsky 2009-11-26 05:44:28 EST
Jon, regarding the updates:
---------------------------

1, While in Fedora 11, 12 and rawhide we already ship 0.3-* based
versions of RoundCube Webmail, in F10 latest version is
roundcubemail-0.2.2-2.fc10.

2, Above References records are poor wrt to providing more information
about patches needed. The only track about CSRF issues I found in [A]

Release 0.3-RC1
  ...
  * Use request tokens to protect POST requests from CSRF

[A] http://trac.roundcube.net/wiki/Changelog

3, When searched SVN log for "Release 0.3-RC1" for CSRF related commits,
   found these three:

   i,   r2755 | thomasb | 2009-07-15 11:49:35 +0200 (Wed, 15 Jul 2009) | 1 line

        Use request tokens to protect POST requests from CSFR

   ii,  r2758 | thomasb | 2009-07-16 17:01:05 +0200 (Thu, 16 Jul 2009) | 1 line

        Force ajax calls to protect from CSRF

   iii, r2779 | thomasb | 2009-07-21 18:13:42 +0200 (Tue, 21 Jul 2009) | 1 line

        Also protect GET request from CSRF

which projected into commits gives these URLs:

   i,   http://trac.roundcube.net/changeset/2755
   ii,  http://trac.roundcube.net/changeset/2758
   iii, http://trac.roundcube.net/changeset/2779

And these three seem to be applicable to the latest version of RoundCube
Webmail, as shipped with Fedora 10.

Assuming newer versions (present in F11, F12 and rawhide) will already
contain them.

Didn't check the versions of RoundCube Webmail, as shipped within Extra
Packages for Enterprise Linux 4 (EPEL-4) and 5 (EPEL-5) projects
(these are yet RoundCube Webmail 0.1.1 based), but it's possible some of
the above changes is applicable against them too.

Jon, long story short, could you schedule F10 RoundCube Webmail update
with above three commits?

Thanks, Jan.
Comment 3 Jon Ciesla 2009-11-30 14:55:04 EST
See:

https://admin.fedoraproject.org/updates/roundcubemail-0.2.2-4.fc10?_csrf_token=5d306bc36ec390a9824e793d7dc8511cb0055e61

I'll have a look at EL-5.  RC isn't in EL-4, as it needs PHP5.
Comment 5 Fedora Update System 2009-12-01 13:24:27 EST
roundcubemail-0.1.1-6.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2009-12-01 23:27:30 EST
roundcubemail-0.2.2-4.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.