Roundcube vulnerability

And i did, as many others. But that doesn't mean i don't follow the project...

Following is one thing.

But all you seem to do is post misinformation and troll posts of actual users trying to get help with your hate of CWP...

Thank for finally admitting publicly your just a troll.

Yes... now, instead of reply with toxic, can you back to the original question?

Note that is YOU that are being offtopic with toxic answers, not me. Don't say BS in something that anyone can read, is a little dumb.
Otherwise, kindle provide any proof in how did i write any misinformation. If you cannot, YOU are being the toxic here, not me, so shut up.

Now, back to where all this started: a message from me thanking the users for the script. Thats it... everything after that was ignited from toxic replies... and ANYONE can read that so don't even answer please.

A new security vulnerability was found in Roundcube:
https://nvd.nist.gov/vuln/detail/CVE-2025-49113

The effected versions:
all versions before 1.5.10
all 1.6.x versions before 1.6.11

The most recent versions of Roundcube include the patch:
https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10

CWP uses Roundcube 1.4.x therefore it is highly recommended to update Roundcube

Instructions how to update Roundcube to 1.5.11:

Code: [Select]

cd /usr/local/cwpsrv/var/services
cp -R roundcube roundcube_backup
wget https://github.com/roundcube/roundcubemail/releases/download/1.5.11/roundcubemail-1.5.11-complete.tar.gz
tar -xvzf roundcubemail-1.5.11-complete.tar.gz
cd roundcubemail-1.5.11
bin/installto.sh /usr/local/cwpsrv/var/services/roundcube
cd ..
chown -R cwpsvc:cwpsvc roundcube
rm -rf roundcubemail-1.5.11*

Please note you do it on your own risk.

I had a problem with it.
Seems CWP is running php-7.2.30 without php-intl extension.
Roundcube needs this extension to detect Spoofing.

The solution for this was to change
/usr/local/cwpsrv/conf.d/webmail.conf
/usr/local/cwpsrv/conf/cwp_services.conf

fastcgi_pass    unix:/usr/local/cwp/php71/var/sockets/cwpsvc.sock;
to
fastcgi_pass unix:/opt/alt/php-fpm81/usr/var/sockets/cwpsvc.sock;

fastcgi_param   PHP_ADMIN_VALUE "open_basedir = /usr/local/cwpsrv/var/services/roundcube/:/tmp/:/usr/local/cwp/php71/lib/";
to
fastcgi_param   PHP_ADMIN_VALUE "open_basedir = /usr/local/cwpsrv/var/services/roundcube/:/tmp/:/usr/local/cwp/php71/lib/:/opt/alt/php-fpm82/usr/";


However this didn't catch it all. When you go to it through https://<your_server/webmail, you still ended up with php-7.2.30.
The version on port 2096 was OK, so I also changed the first lines of roundcube/index.php.
<?php
if (!preg_match("/:2096/",$_SERVER['HTTP_HOST'])) header('Location: https://<your_server>:2096/');

Be advised that CWP runs under its own dedicated PHP 7.2 version so changing its internal services to run on a more modern PHP version (8.2) risks breaking it or introducing unexpected behavior. Plus, if you take CWP too far out of spec and customize it, their support team will decline to help you if you have issues.

There are workarounds to the intl issue that don't risk breaking CWP. Follow these instructions, but update the version number to 1.5.14:
https://www.alphagnu.com/topic/33-update-cwp-roundcube-mail-version-158-%E2%80%93-control-web-panel/

Update to the script listed here:
http://forum.centos-webpanel.com/updates/roundcube-vulnerability/msg53064/#msg53064

Hi cyberspace,
Just used your script to update to 1.5.15 LTS -- on one server it worked fine, but on another server it errored out due to the system() function being disabled in that version of PHP, yet your script proceeded to report that the install had succeeded. I think you need to put some conditional logic around this code block to check for actual success before reporting success:

Code: [Select]

echo "Update completed successfully!"
echo "Now running version: $latest_version"

@overseer Searched the script for:

Code: [Select]

system and

Code: [Select]

system( calls, and didn't see any.

Maybe @cyberspace could elaborate more.

Script wouldn't run unless system was an allowed function for that system version of PHP (8.3 in this case). It merrily proceeded to the ending echo lines and acted as if it had done something, but there was clearly an error during execution.

Just used your script to update to 1.5.15 LTS -- on one server it worked fine, but on another server it errored out due to the system() function being disabled in that version of PHP

Hi,

Sorry for the delayed reply. I’ve been away from home for a while and only have occasional access to my PC.

Anyway, the script doesn't use the function like system() or exec(). Do you run the script from PHP using system() ?

I had a problem with it.
Seems CWP is running php-7.2.30 without php-intl extension.
Roundcube needs this extension to detect Spoofing.

Seems "roundcube" running on my system doesn't require intl. Anyway, if your roundcube requires it you can compile the extension from sources:

As root:

Code: [Select]

cd /usr/local/src/
wget https://www.php.net/distributions/php-7.2.30.tar.gz
tar -xvzf php-7.2.30.tar.gz
cd php-7.2.30/ext/intl
/usr/local/cwp/php71/bin/phpize
./configure --with-php-config=/usr/local/cwp/php71/bin/php-config
make
cp modules/intl.so /usr/local/cwp/php71/lib/php/extensions/no-debug-non-zts-20170718/
open the file /usr/local/cwp/php71/php.ini for editing and add the line:

Code: [Select]

extension = intl.so
right before:

Code: [Select]

zend_extension = /usr/local/ioncube/ioncube_loader_lin_7.2.so

remove sources and extracted files

Code: [Select]

rm -rf /usr/local/src/php-*


Anyway, the script doesn't use the function like system() or exec(). Do you run the script from PHP using system() ?

I believe the error happens with the install line, using the default RC install script:

Code: [Select]

yes | "$src_dir/bin/installto.sh" "$INSTALL_DIR"So it's a bit of an outlier, but maybe you need to test for installation success before reporting it with the echo lines that follow, and maybe worth testing the actual installed version and reporting that:

Code: [Select]

grep "Version " /usr/local/cwpsrv/var/services/roundcube/index.php | awk '{print $3}'