[Pkg-roundcube-maintainers] Bug#508628: roundcube: remote code execution vuln in html2text.php, uses preg_replace with "e".

Andreas Henriksson andreas at fatal.se
Sun Dec 14 17:34:44 UTC 2008


On lör, 2008-12-13 at 19:28 +0100, Florian Weimer wrote:
> * Andreas Henriksson:
> 
> > my.host.name 200.171.152.187 - - [08/Dec/2008:18:36:54 +0100] "POST //roundcube/bin/html2text.php HTTP/1.1" 200 83 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
> > my.host.name 200.171.152.187 - - [08/Dec/2008:18:37:03 +0100] "POST //roundcube/bin/html2text.php HTTP/1.1" 200 79 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
> > my.host.name 200.171.152.187 - - [08/Dec/2008:18:37:29 +0100] "POST //roundcube/bin/html2text.php HTTP/1.1" 200 88 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
> 
> This might be unrelated.
> 
> Could we get more logs from a larger timespan, including error logs?

I'm quite certain it's not unrelated. I have very little access to my
SSL-enabled vhost and the other hits definitely have nothing to do with
it. Upstream bug reporter also reports exactly 3 hits from the same ip
for his attack. Why do you think it would be anything else? The problem
has been found and fixed already.

-- 
Regards,
Andreas Henriksson





More information about the Pkg-roundcube-maintainers mailing list