English

Calendar Discussions Polls

RSS feeds Subscriptions Contacts

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Read us on

Home→Descriptions→SA37235

RoundCube Webmail Cross-Site Request Forgery Vulnerabilities

Secunia ID	SA37235
CVE-ID	CVE-2009-4076, CVE-2009-4077
Release Date	04 Nov 2009
Last Change	02 Dec 2009
Criticality	Less Critical
Solution Status	Vendor Patch
Software	RoundCube Webmail 0.x
Where	From remote
Impact	Cross-Site Scripting Cross-Site Scripting vulnerabilities allow a third party to manipulate the content or behaviour of a web application in a user's browser, without compromising the underlying system. Different Cross-Site Scripting related vulnerabilities are also classified under this category, including "script insertion" and "cross-site request forgery". Cross-Site Scripting vulnerabilities are often used against specific users of a website to steal their credentials or to conduct spoofing attacks.
Description	Some vulnerabilities have been reported in RoundCube Webmail, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change certain information of a logged in user or send arbitrary emails. The vulnerabilities are reported in versions prior to 0.3.
Solution	Update to version 0.3. http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.3-stable/
Reported by	JVN Credits: * Shuya Ueki * Gaku Mochizuki, Mitsui Bussan Secure Directions
Original Advisory	RoundCube: http://trac.roundcube.net/wiki/Changelog JVN: http://jvn.jp/en/jp/JVN72974205/index.html http://jvn.jp/en/jp/JVN75694913/index.html