From owner-freebsd-questions@FreeBSD.ORG Mon Mar 9 07:37:00 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B77A3106564A for ; Mon, 9 Mar 2009 07:37:00 +0000 (UTC) (envelope-from zszalbot@gmail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.189]) by mx1.freebsd.org (Postfix) with ESMTP id 4CAB98FC1A for ; Mon, 9 Mar 2009 07:36:59 +0000 (UTC) (envelope-from zszalbot@gmail.com) Received: by fk-out-0910.google.com with SMTP id f40so545132fka.11 for ; Mon, 09 Mar 2009 00:36:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=AjJB9JxwXWwkoxS/cz3V+2nUGT5d4dAKH8SsUYsuR3E=; b=WpFMlA2TIabhoOrCS2osC7DbqGEpSYF5Icv4YQ4JM8OM23Ik7N45vUS4OimMc8UsfW idtcHomkhG25JHXd/RmLula1HTNeCfeQ6TWYtlnyqw3oLojjCmKFKrEnXarfF3bt/n2K IqNDlaiS6mwkuEmXilFGuUoQvFz9jHxVoFT6M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=CbAO9Ud0b5iTPd9uKIg5ipKLHcjkgkpgMZVZDQPacdIf1PQRT4aRmKUHo0v4HtobCp 3CGzxCGbscQd7JWUyYucXdk73kDp9a5VFXoskm3p77QcQGTcG6g7yfXMrWfZsspHaDFs pj7thxAU9Mvn7OUrJWObp9wYRRnc+1IOSLvgM= MIME-Version: 1.0 Received: by 10.86.53.8 with SMTP id b8mr3687429fga.10.1236584219078; Mon, 09 Mar 2009 00:36:59 -0700 (PDT) Date: Mon, 9 Mar 2009 08:36:59 +0100 Message-ID: <94136a2c0903090036q51d569dfk4a58ef0f8cceab05@mail.gmail.com> From: Zbigniew Szalbot To: User Questions Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: roundcube security bug X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Mar 2009 07:37:01 -0000 hello, I strongly advise anyone who has the mail/roundcube port or software installed to be careful as it has a security bug (and I do not know where to report it). It allows people to remotely place a trojan on /tmp and use it. They do it like this: 213.96.25.30 - - [05/Mar/2009:19:22:14 +0100] "POST /roundcube/bin/html2text.php HTTP/1.0" 406 and as a result a non-empty directory /tmp/guestbook.ntr/ is created and a file /tmp/guestbook.php This html2text.php file has been used by an attacker on my system (at least I think so). I have removed the port and since then I have had no trouble, although they have been scanning for this file as I can read in the logs. Yours, -- Zbigniew Szalbot www.slowo.pl www.fairtrade.net.pl