Author Topic: Roundcube big security issue.  (Read 4212 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Roundcube big security issue.
« on: July 28, 2023, 08:04:51 AM »
How do we secure these logs

https://cpanel.domain.com/roundcube/logs/errors.log
https://cpanel.domain.com/webmail/logs/errors.log

And all other files withing the logs folder.

Any one visiting above URLs (replace domain.com with your actual domain) can download these log files and use them for exploitation.

I can see there is one .htaccess file, but it's not being honoured by the cwp webserver, in my case Apache.

Offline
*****
Re: Roundcube big security issue.
« Reply #1 on: July 28, 2023, 09:32:39 AM »
Just checked a couple domains.
Got either a permission denied by cwpsrv or a 403.

Hop into the CLI via SSH or Terminal

cd /scripts
./mail_roundcube_update
exit


Then in CWP, goto User Accounts -> Fix Permissions

Select the user (domain)
Check -> Fix Permissions
Check -> Internal Server Error

Offline
*
Re: Roundcube big security issue.
« Reply #2 on: July 28, 2023, 04:31:03 PM »
yup confirm

Offline
*
Re: Roundcube big security issue.
« Reply #3 on: July 28, 2023, 08:34:40 PM »
Just checked a couple domains.
Got either a permission denied by cwpsrv or a 403.

Hop into the CLI via SSH or Terminal

cd /scripts
./mail_roundcube_update
exit


Then in CWP, goto User Accounts -> Fix Permissions

Select the user (domain)
Check -> Fix Permissions
Check -> Internal Server Error

Followed above suggestion to the letter, but no use.

Some additional info.

Quote
cd /scripts
./mail_roundcube_update
Last metadata expiration check: 0:13:24 ago on Sat Jul 29 01:45:42 2023.
Dependencies resolved.
Nothing to do.
Complete!


###############################
Roundcube is already up-to-date
###############################

AlmaLinux release 8.8
CWPpro version: 0.9.8.1160

Offline
*
Re: Roundcube big security issue.
« Reply #4 on: July 28, 2023, 08:52:22 PM »
Some additional information

This too is not secure
https://host.domain.com:2031/roundcube/logs/errors.log

And is this Owner/Group correct? Because whatever domain is used, same errors.log get downloaded.
Quote
Owner: cwpsvc
Group: cwpsvc
/usr/local/cwpsrv/var/services/roundcube/logs/errors.log

And this is happening in multiple servers, not just one.

Offline
*****
Re: Roundcube big security issue.
« Reply #5 on: July 28, 2023, 10:17:10 PM »
cd /scripts
./mail_roundcube_update
Note that you don't want to do this if you've manually updated to roundcube 1.5.3 per Sandeep's instructions. The "logic" of the roundcube update script does not take into account the currently installed version and will merrily blow away a newer 1.5.x install and install 1.4.11 instead.

Offline
*
Re: Roundcube big security issue.
« Reply #6 on: July 28, 2023, 11:17:19 PM »
cd /scripts
./mail_roundcube_update
Note that you don't want to do this if you've manually updated to roundcube 1.5.3 per Sandeep's instructions. The "logic" of the roundcube update script does not take into account the currently installed version and will merrily blow away a newer 1.5.x install and install 1.4.11 instead.

Thanks for the heads up, but mine is default setup, webmail is running fine.

As per my earlier post result of
cd /scripts
./mail_roundcube_update
Was
Roundcube is already up-to-date

Current version is
Roundcube Webmail IMAP Client
Version 1.4.11

And these URLs are not secure, all servers are exposed.
https://cpanel.domain.com/roundcube/logs/errors.log
https://cpanel.domain.com/webmail/logs/errors.log

https://host.domain.com:2031/roundcube/logs/errors.log
https://webmail.domain.com//logs/errors.log

Entry in /usr/local/cwpsrv/var/services/roundcube/logs/.htaccess

# deny webserver access to this directory
<ifModule mod_authz_core.c>
    Require all denied
</ifModule>
<ifModule mod_authz_core.c>
    Deny from all
</ifModule>

Owner & group for /usr/local/cwpsrv/var/services/roundcube/logs/ and all files within.
Owner: cwpsvc
Group: cwpsvc

Offline
*
Re: Roundcube big security issue.
« Reply #7 on: February 03, 2024, 05:00:31 PM »
This issue still persists with CWPpro version: 0.9.8.1174 and no working solution to fix it.

Offline
*
Re: Roundcube big security issue.
« Reply #8 on: February 03, 2024, 05:19:14 PM »
Same issue on fresh install

CentOS Linux release 7.9.2009 (Core)
CWPpro version: 0.9.8.1174

Offline
*****
Re: Roundcube big security issue.
« Reply #9 on: February 03, 2024, 05:30:23 PM »
Check out:
https://www.alphagnu.com/topic/33-update-cwp-roundcube-mail-version-156-%E2%80%93-control-web-panel/

That will get you RoundCube 1.5.6


And check out ELevate, that will get you away from the EOL CentOS 7.

Offline
*
Re: Roundcube big security issue.
« Reply #10 on: February 03, 2024, 08:57:15 PM »
I did a CentOS 7 install just to check if the issue is there too.

I understand that issue is with the version of RoundCube, but then other panels have not shown same behaviour.

Solution must come from CWP officially, else patch work may break things in future.

Any idea, how CWP future update will handle the scenario if update is applied today using Sandeep B's solution?

Also, any one tested this solution on AlmaLinux release 8.x and up ?

Offline
*****
Re: Roundcube big security issue.
« Reply #11 on: February 04, 2024, 12:19:40 AM »
That link from AlphaGNU is about as 'official' as it gets.
It's not a patch that will get broken. I've gone thru multiple CWP updates, and it's still working.

I'm running RoundCube 1.5.6 using that method on AlmaLinux 8.x, and you can see my questions if you scroll down on that page about 1.6.x.

I think @overseer is as well, but he'll have to chime in to say if he is or not.

Offline
*****
Re: Roundcube big security issue.
« Reply #12 on: February 04, 2024, 05:39:57 PM »
Yes, Roundcube 1.5.6 (updated from Sandeep's 1.5.3 instructions, linked above). You can't get to the 1.6 branch with our current CWP kit; hopefully when EL9 support rolls out.

Offline
*
Re: Roundcube big security issue.
« Reply #13 on: February 04, 2024, 05:55:12 PM »
So, I applied the Roundcube 1.5.6 update on my CentOS 7 test server as per Sandeep's instructions, update was seamless and without errors, but the issue of exposed log files is still there.

These URLs are still not secure, they are still exposed to public.
https://cpanel.domain.com/roundcube/logs/errors.log
https://cpanel.domain.com/webmail/logs/errors.log

https://host.domain.com:2031/roundcube/logs/errors.log
https://webmail.domain.com//logs/errors.log

Offline
*****
Re: Roundcube big security issue.
« Reply #14 on: February 04, 2024, 06:30:08 PM »
Weird. I can't duplicate what you are seeing, and I'm accessing the server from a Whitelisted IP.
When I try those URL's using our domain, I get 404 Not Found errors or Forbidden.

BTW, https://webmail.domain.com//logs/errors.log
Has 2 // after the domain name. I know it's just a type-o.

But by default those are not accessible, at least not on a AlmaLinux 8.x install with CWPpro.