HTTP: Roundcube Webmail Archive IMAP Command Injection
An IMAP command injection vulnerability has been reported in Roundcube Webmail. The vulnerability is due to improper handling of the "_uid" parameter within certain HTTP requests. A remote attacker can exploit this vulnerability by enticing an authenticated user to visit a page which sends a request to the targeted server acting as the target user. Successful exploitation could lead to arbitrary MX (IMAP) injection on the target server.
Extended Description
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.
Affected Products
Roundcube webmail
References
CVE: CVE-2018-9846
Short Name
HTTP:MISC:ROUNDCUBE-IMAP-CMD-IN
Severity
Major
Recommended
True
Recommended Action
Drop
Category
HTTP
Keywords
Archive CVE-2018-9846 Command IMAP Injection Roundcube Webmail
Release Date
04/24/2018
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3590
False Positive
Unknown
Vendors
Debian
Roundcube
CVSS Score
6.8