Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Fullpath disclosure in roundcube webmail
From: "Steven M. Christey" <coley () mitre org>
Date: Sat, 17 Dec 2005 18:43:28 -0500 (EST)

I try this request in my mailbox
bce= &_task=3Dma%60il then roundcube shows this warning

For the 3 people who might care about the distinction (e.g. vuln DBs
who exclude path disclosure), this appears to be a custom error
message, not one generated by PHP, and therefore a design choice by
the developer.

Notice that in the URL above, the "_task" parameter has the value
"ma`il" - an invalid value.

roundcube appears to perform some validation of the value, then giving
a verbose error message when the validation fails.

Near the end of index.php we have:

  // only allow these templates to be included
  $valid_tasks = array('mail','settings','addressbook');
  // parse main template
  if (in_array($_task, $valid_tasks))
  // if we arrive here, something went wrong
  raise_error(array('code' => 404,
                    'type' => 'php',
                    'line' => __LINE__,
                    'file' => __FILE__,
                    'message' => "Invalid request"), TRUE, TRUE);

So __FILE__ is part of the error message, which is inserted into a
text template.  The relevant code is in program/steps/error.inc and

This is based on source analysis of roundcubemail-0.1-20051021.

- Steve

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]