id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
1483829	$_SERVER['HTTP_HOST'] is not a safe to use unfiltered	Rasmus		"I noticed in a recent change you are doing:

include($_SERVER['HTTP_HOST'].'.inc.php');

This is a really really bad idea.  I can inject whatever I want into the HTTP Host header simply by sending a fake Host: blah header in the request.  If the server running roundcube is the only, or the first vhost on an Apache server, the request is still going to get through to the server and you are now allowing a user to inject whatever they want into this include.  "	Bugs	closed	5		Security	later	critical	duplicate