Roundcube Webmail Issues
Reader Nathan sent us an update on a vulnerability in     Roundcube's
html2text.php.  He said that the exploit is being seen in the wild and that it works.  Roundcube is a PHP powered webmail solution which many prefer over Squirrelmail.  
http://trac.roundcube.net/ticket/1485618
http://www.securiteam.com/unixfocus/6L00O15NFS.html
Nathan said that it was fixed on 12/12/2008, http://trac.roundcube.net/changeset/2148 and an official release was on 12/16/2008, http://sourceforge.net/forum/forum.php?forum_id=898542.  He also suggested that readers consider Suhosin, mod_chroot, and the below PHP.ini settings:
allow_url_include = Off
allow_url_fopen = Off
session.use_only_cookies = 1
session.cookie_httponly = 1
expose_php = Off
display_errors = Off
register_globals = Off
disable_functions = phpinfo                
Thanks for the information and the links Nathan!
Marcus H. Sachs
Director, SANS Internet Storm Center
 
              
Comments