[Pkg-roundcube-maintainers] Bug#508628: roundcube: remote code execution vuln in html2text.php, uses preg_replace with "e".

Florian Weimer fw at deneb.enyo.de
Sun Dec 14 18:13:24 UTC 2008


* Andreas Henriksson:

>> Could we get more logs from a larger timespan, including error logs?
>
> I'm quite certain it's not unrelated. I have very little access to my
> SSL-enabled vhost and the other hits definitely have nothing to do with
> it. Upstream bug reporter also reports exactly 3 hits from the same ip
> for his attack. Why do you think it would be anything else?

The dates did not match.

> The problem has been found and fixed already.

A problem has been fixed, right, but not necessarily the correct
one. 8-/

In the meantime, I've received data from another attack (again without
POST data, unfortunately).  But in that case, the time stamps match
up, so I'm inclined to believe that the issue is indeed in
html2text.php, and precisely the one fixed by upstream (there doesn't
seem to be any other vector in that script).





More information about the Pkg-roundcube-maintainers mailing list