Secure testing team - Dec 2008 - Bug#508628: roundcube: remote code execution vuln in html2text.php, uses preg_replace with "e".

Package: roundcube
Version: 0.1.1-8
Severity: serious
Tags: security, fixed-upstream
Justification: user security hole

I was recently targeted by a spammer exploiting a hole in my roundcube
installation. I got help from Atomo64 to try to analyze this but
we where unable to find how html2text.php could be exploited. Today
Atomo64 notified me that someone else had reported this upstream and now
they have found the problem and fixed it.

See http://trac.roundcube.net/ticket/1485618

(No CVE identifier has yet been assigned as far as I''m aware.)

Now some google juice:
This is how my access.log looked like, and the upstream bug reported had
a similar looking access log.

my.host.name 200.171.152.187 - - [08/Dec/2008:18:36:54 +0100] "POST
//roundcube/bin/html2text.php HTTP/1.1" 200 83 "-"
"Googlebot/2.1 ( http://www.google.com/bot.html)"
my.host.name 200.171.152.187 - - [08/Dec/2008:18:37:03 +0100] "POST
//roundcube/bin/html2text.php HTTP/1.1" 200 79 "-"
"Googlebot/2.1 ( http://www.google.com/bot.html)"
my.host.name 200.171.152.187 - - [08/Dec/2008:18:37:29 +0100] "POST
//roundcube/bin/html2text.php HTTP/1.1" 200 88 "-"
"Googlebot/2.1 ( http://www.google.com/bot.html)"


-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (300, ''unstable''), (100,
''experimental'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages roundcube depends on:
ii  roundcube-core                0.1.1-8    skinnable AJAX based webmail solut
ii  roundcube-mysql [roundcube-db 0.1.1-8    metapackage providing MySQL depend

roundcube recommends no packages.

roundcube suggests no packages.

Versions of packages roundcube-core depends on:
ii  apache2-mpm-prefork  2.2.9-11            Apache HTTP Server - traditional n
ii  dbconfig-common      1.8.40              common framework for packaging dat
ii  debconf [debconf-2.0 1.5.24              Debian configuration management sy
ii  libmagic1            4.26-2              File type determination library us
ii  php-auth             1.6.1-1             PHP PEAR modules for creating an a
ii  php-db               1.7.13-2            PHP PEAR Database Abstraction Laye
ii  php-mail-mime        1.5.2-0.1           PHP PEAR module for creating MIME 
ii  php-net-smtp         1.3.1-1             PHP PEAR module implementing SMTP 
ii  php-net-socket       1.0.9-1             PHP PEAR Network Socket Interface 
ii  php5                 5.2.6.dfsg.1-0.1    server-side, HTML-embedded scripti
ii  php5-mcrypt          5.2.6.dfsg.1-0.1+b1 MCrypt module for php5
ii  roundcube-mysql [rou 0.1.1-8             metapackage providing MySQL depend
ii  tinymce2             2.1.3-1             platform independent web based Jav
ii  ucf                  3.0011              Update Configuration File: preserv

-- debconf information excluded