Ticket #1483849 (closed Bugs: fixed)

Opened 4 years ago

Last modified 4 years ago

Insecure HTTP_HOST usage

Reported by: blues Owned by:
Priority: 1 - Highest Milestone: 0.1-beta2
Component: Security issue Version: 0.1-beta
Severity: major Keywords:
Cc:

Description

From main.inc.php:

/***** try to load host-specific configuration *****/

@include($_SERVER['HTTP_HOST'].'.inc.php');

It's really insecure, because HTTP Host: header is spoofable! apache does some sanity checks but you can't relly on that. Besides - there is many other http servers.

Change History

Changed 4 years ago by blues

  • priority changed from 7 to 10

Nobody cares about that?

Changed 4 years ago by blues

  • priority changed from 10 to 1

Changed 4 years ago by adam

All of the developers on this project are quite busy with other things - if you can, please post a patch or alternative method to avoid this problem.

Changed 4 years ago by blues

First of all - I'm not php-programmer...

I'll show some idea of securing that inclusion, which will be quite good...

1. loading host-specific configuration file should be on-demand, IMO. That's why some config option should appear, i.e.:

$rcmail_config['include_host_config']=TRUE/FALSE;

Of course - false by default. 2. that inclusion should go to some other file, somewhere in "program" 3. parsing of $_SERVERHTTP_HOST? can be done in various ways. Obvious way is to make some preg_match with regexp that'll match hostnames only. There can be some static host list (not nice solution) also.

As I said, I'm not php-programer - choice of the Right_Solution(TM) isn't to me. For me commenting-out that inclusion is working...

And this BUG is something what HAS to be fixed. Or roundcube will be software with known security bugs...

Changed 4 years ago by thomasb

  • status changed from new to closed
  • resolution set to fixed
  • milestone set to 0.1-beta2

I agree and have changed the way host-specific config files are included as you suggested.

Note: See TracTickets for help on using tickets.