From owner-freebsd-questions@FreeBSD.ORG  Mon Mar  9 08:21:59 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AF63C1065675
	for <freebsd-questions@freebsd.org>;
	Mon,  9 Mar 2009 08:21:59 +0000 (UTC)
	(envelope-from freebsd-questions@m.gmane.org)
Received: from ciao.gmane.org (main.gmane.org [80.91.229.2])
	by mx1.freebsd.org (Postfix) with ESMTP id 68FB68FC23
	for <freebsd-questions@freebsd.org>;
	Mon,  9 Mar 2009 08:21:59 +0000 (UTC)
	(envelope-from freebsd-questions@m.gmane.org)
Received: from list by ciao.gmane.org with local (Exim 4.43)
	id 1LgakF-0004p5-OQ
	for freebsd-questions@freebsd.org; Mon, 09 Mar 2009 08:21:55 +0000
Received: from pool-70-21-13-242.res.east.verizon.net ([70.21.13.242])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <freebsd-questions@freebsd.org>; Mon, 09 Mar 2009 08:21:55 +0000
Received: from nightrecon by pool-70-21-13-242.res.east.verizon.net with local
	(Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00
	for <freebsd-questions@freebsd.org>; Mon, 09 Mar 2009 08:21:55 +0000
X-Injected-Via-Gmane: http://gmane.org/
To: freebsd-questions@freebsd.org
From: Michael Powell <nightrecon@verizon.net>
Followup-To: gmane.os.freebsd.questions
Date: Mon, 09 Mar 2009 04:22:38 -0400
Lines: 30
Message-ID: <gp2jil$5j7$1@ger.gmane.org>
References: <94136a2c0903090036q51d569dfk4a58ef0f8cceab05@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7Bit
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: pool-70-21-13-242.res.east.verizon.net
User-Agent: KNode/0.99.01
Sender: news <news@ger.gmane.org>
Subject: Re: roundcube security bug
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: nightrecon@verizon.net
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2009 08:22:00 -0000

Zbigniew Szalbot wrote:

> hello,
> 
> I strongly advise anyone who has the mail/roundcube port or software
> installed to be careful as it has a security bug (and I do not know
> where to report it). It allows people to remotely place a trojan on
> /tmp and use it. They do it like this:
> 
> 213.96.25.30 - - [05/Mar/2009:19:22:14 +0100] "POST
> /roundcube/bin/html2text.php HTTP/1.0" 406
> and as a result a non-empty directory /tmp/guestbook.ntr/ is created
> and a file /tmp/guestbook.php
> 
> This html2text.php file has been used by an attacker on my system (at
> least I think so). I have removed the port and since then I have had
> no trouble, although they have been scanning for this file as I can
> read in the logs.
> 
> Yours,
> 

I have an eCommerce store and sometimes up to about two thirds of the script 
kiddie runs include a search for roundcube. So it is highly sought after 
active vulnerability for compromising web sites. I don't use it myself so it 
has no effect on my site, but I am seeing the traffic.

-Mike