Insecure HTTP_HOST usage

[blues]

From main.inc.php:

/***** try to load host-specific configuration *****/

@include($_SERVER['HTTP_HOST'].'.inc.php');

It's really insecure, because HTTP Host: header is spoofable!
apache does some sanity checks but you can't relly on that. Besides - there is many other http servers.

[blues]

Nobody cares about that?

[adam]

All of the developers on this project are quite busy with other things - if you can, please post a patch or alternative method to avoid this problem.

[blues]

First of all - I'm not php-programmer...

I'll show some idea of securing that inclusion, which will be quite good...

1. loading host-specific configuration file should be on-demand, IMO. That's why some config option should appear, i.e.:

   $rcmail_config['include_host_config']=TRUE/FALSE;
   

Of course - false by default.

2. that inclusion should go to some other file, somewhere in "program"
3. parsing of $_SERVERHTTP_HOST? can be done in various ways. Obvious way is to make some preg_match with regexp that'll match hostnames only. There can be some static host list (not nice solution) also.

As I said, I'm not php-programer - choice of the Right_Solution(TM) isn't to me. For me commenting-out that inclusion is working...

And this BUG is something what HAS to be fixed. Or roundcube will be software with known security bugs...

[thomasb]

I agree and have changed the way host-specific config files are included as you suggested.