Roundcube Webmail Critical Security Vulnerability Report

Date: 2025-06-13
Severity: CRITICAL
CVSS Score: 9.8 (Critical)
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low (authenticated user)
User Interaction: None
Impact: Remote Code Execution
Reported: No. We have not had any luck getting package maintainers to look into "potential" vulnerabilities unless we can provide a current proof of concept. As most of what we patch does not have a POC at the time we patch, we ceased attempting to report and just patch it ourselves to future-proof.

Executive Summary

A critical remote code execution vulnerability was discovered in Roundcube Webmail affecting the eval_expression() method in roundcube/program/include/rcmail_output_html.php. The vulnerability allows authenticated users to execute arbitrary PHP code on the server through template injection attacks.

Vulnerability Details

Root Cause

The eval_expression() method (line 1266) uses PHP's eval() function to process user-controllable template expressions without proper validation:

return eval("return ($expression);");

Attack Surface

• Location: roundcube/program/include/rcmail_output_html.php:1266
• Method: eval_expression()
• Called by: check_condition() → parse_conditions() → just_parse()

Attack Mechanism

The vulnerability can be exploited when user-controlled data is processed through Roundcube's template system:

1. Input Vector: User-controllable data reaches template processing
2. Template Injection: Malicious template expressions are injected
3. Expression Evaluation: eval_expression() processes the malicious input
4. Code Execution: eval() executes arbitrary PHP code

Example Exploit:

Template Expression: "><roundcube:if condition="system('id')">
Result: Remote command execution as web server user

Impact

Technical Impact Possible

• Remote Code Execution: Execute arbitrary system commands
• File System Access: Read/write any files accessible to web server
• Database Compromise: Access database credentials and data
• Server Takeover: Install backdoors, pivot to internal network

Remediation

Immediate Actions Taken

Core Vulnerability Fix

File: roundcube/program/include/rcmail_output_html.php

Implemented comprehensive validation system:

• Added validate_expression() method with blacklist approach for dangerous functions
• Modified eval_expression() to validate before execution
• Malicious expressions are blocked and logged

Security Validation Implementation Details

Blacklist (Always Blocked):

• System calls: system(), exec(), shell_exec(), passthru()
• File operations: file_get_contents(), fopen(), readfile(), etc.
• Database functions: mysql_*, mysqli_*, pg_*, etc.
• Object/class access: ->, ::
• Variable functions: $variable()
• Code execution: eval(), assert(), create_function()
• Process control: proc_*, pcntl_*
• Network functions: socket_*, stream_*

Allowed Elements:

• Valid namespaces: env:, config:, session:, cookie:, request:, browser:, template:
• Safe functions: empty(), in_array(), asciiwords(), strlen(), trim(), etc.
• Comparison operators: ==, !=, ===, !==
• Logical operators: &&, ||, !
• Ternary operators: ? :
• Simple literals: strings, numbers, booleans

Validation Benefits:

1. Security: Comprehensive blocking of dangerous functions
2. Usability: Allows legitimate Roundcube template expressions
3. Flexibility: Easy to extend safe function list
4. Maintenance: Clear separation of concerns

Timeline

• Discovery: Security analysis identified unsafe eval() usage in template processing
• Verification: Confirmed exploitable through template injection
• Mitigation: Implemented comprehensive validation system for template expressions
• Current Status: Security measures applied and operational

Contact

security@codamail.com

References

• Roundcube Official Site: https://roundcube.net/
• OWASP Template Injection: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection
• PHP eval() Security: https://www.php.net/manual/en/function.eval.php

Report Generated: 2025-06-13
Status: RESOLVED - Comprehensive security validation implemented