Roundcube big security issue.

My production versions where I found this issue initially were

AlmaLinux release 8.8
CWPpro version: 0.9.8.1160

Current versions
Distro Name: AlmaLinux release 8.9 (Midnight Oncilla)
CWPpro version: 0.9.8.1174

I will apply update on one of these server, let's see if the issue is fixed or not.

Let us know.

I'm testing on AL 8.9 with CWPpro 0.9.8.1174

@Vinayak If you haven't updated your AlmaLinux servers in awhile, you had mentioned 8.8.

You will need to install the new AlmaLinux GPG Keys first: https://almalinux.org/blog/2023-12-20-almalinux-8-key-update/

As I mentioned in my previous post, on my production servers AlmaLinux is updated to release 8.9 (Midnight Oncilla)
 & CWPpro version to 0.9.8.1174. I update my servers on regular basis.

For AlmaLinux GPG Keys, below is the result of command "rpm -q gpg-pubkey-ced7258b-6525146f"

gpg-pubkey-ced7258b-6525146f

This shows latest GPG Keys are installed & trusted.

As I am still trying to fix this, I am wondering whether cwpsrv/nginx is blocking access to these log and other crucial files or not.

Any idea where to check the configuration/directives for cwpsrv/nginx to make sure on this issue?

Or some other mechanism is in use to secure such files and path?

Yes, ModSecurity.
I have Como rules installed with ModSecurity, and it is blocking these access.

Regards,
Netino

We are running ModSecurity with Comodo ruleset 1.241 with no problems.

Not a ModSecurity and/or Comodo issue.

I have the same problem? Have you found a solution yet?

No official solution yet.

nano /usr/local/cwpsrv/conf/cwp_services.conf

find location /roundcube {


Add:
location /roundcube/logs/ {
        deny all;
    }

Example:

Code: [Select]

location /roundcube {
    root /usr/local/cwpsrv/var/services;
    index  index.html index.htm index.php;
    location /roundcube/logs/ {
        deny all;
    }
    location ~ \.php$ {


Won't this get overwritten on CWP updates?

Won't this get overwritten on CWP updates?

Most likely.  But it's a solution that the coders can implement when they see it on the forum

All of our CWP installation didn't have this issue.

Logs where not accessible, the screen up up with the generic permission denied screen.

But a working ModSecurity properly configured seems to block it, along with updating to RoundCube 1.5.9, which is a LTS version.

The extra step is necessary to close the breach. In other case the logs can be accessed over the URLs like:

https://webmail.DOMAIN.COM/logs/errors.log
https://webmail.DOMAIN.COM:2096/logs/errors.log

Add the following "location":

Code: [Select]

    location ~ \.log$ {
        deny all;
    }

into the both "server" sections of the file /usr/local/cwpsrv/conf.d/webmail.conf.

Example:

Code: [Select]

    location ~ \.log$ {
        deny all;
    }
    location / {

then restart cwpsrv:

Code: [Select]

service cwpsrv restart