RC can be DoS'ed by sending specific email

[star26bsd]

Hi,

a user has an email in his inbox which has an amazon.de URL as subject only (see log message below, the server runs php 5.3.8 with latest suhosin, default config on latest apache on FreeBSD). When the user logs in to roundcube the 'loading' box is spinning forever. After disabling suhosin temporarily, the inbox can be displayed in roundcube properly.

The log files show:

Sep 15 21:05:03 <user.alert> srv3 suhosin[61727]: ALERT - Include filename (' http://www.amazon.de/Die-unglaubliche-Geschichte-Henry-Brown/dp/3499252899/ref=pd_bxgy_b_text_c.php') is an URL that is not allowed (attacker 'xx.xx.xx.x', file '/usr/local/www/roundcubemail-0.5.3/program/include/iniset.php', line 111)

This messages made me wonder why suhosin thinks there's an include going on. Line 111 of iniset.php shows:

include_once("$filename.php");

It seems like roundcube wants to include what is displayed in the subject, which happens to be a url - and suhosin legitimately blocks this attempt.

In short, I can send an email to a user on a suhosin protected mail server and make his inbox unavailable. Needless to say, the user cannot delete this email himself via RoundCube. In my case, I had to delete the email file on the server to make roundcube show the inbox again.

I run Suhosin + RC for more than a year now without problems. However, I've upgraded to PHP 5.3.x recently, so I have reason to believe this effect is kinda related to new suhosin/PHP in combination with RC.

Thanks, Stephan

[alec]

This is because of this  https://bugs.php.net/bug.php?id=55475. We need to modify is_a() usage in PEAR packages. Please, provide also a sample message. So, I'll try to reproduce and find out if it isn't a bug in Roundcube code.

[alec]

[8c124b9e] and other commit before, should fix the issue. I'm unable to reproduce the issue. Reopen with complete test case if it doesn't work for you (use svn-trunk version).

[star26bsd]

Thanks, Alec, this is fixing the issue. Your diff doesn't apply cleanly to 0.5.4 so I've "backported" it. I have not analysed the security implications of this issue but I'd favour an inclusion of this patch to the 0.5.x branch.

(for the test email, just send an email with the URL provided above in the subject line, no body.)

Index: trunk/roundcubemail/program/lib/MDB2/Driver/Datatype/Common.php
===================================================================
--- roundcubemail/program/lib/MDB2/Driver/Datatype/Common.php   (revision 3227)
+++ roundcubemail/program/lib/MDB2/Driver/Datatype/Common.php   (revision 5222)
@@ -1380,5 +1380,5 @@
                 return $db;
             }
-            if (isset($db->function) && is_a($db->function, 'MDB2_Driver_Function_Common')) {
+            if (isset($db->function) && is_object($db->function) && is_a($db->function, 'MDB2_Driver_Function_Common')) {
                 return $db->function->now('date');
             }
@@ -1409,5 +1409,5 @@
                 return $db;
             }
-            if (isset($db->function) && is_a($db->function, 'MDB2_Driver_Function_Common')) {
+            if (isset($db->function) && is_object($db->function) && is_a($db->function, 'MDB2_Driver_Function_Common')) {
                 return $db->function->now('timestamp');
             }
@@ -1438,5 +1438,5 @@
                 return $db;
             }
-            if (isset($db->function) && is_a($db->function, 'MDB2_Driver_Function_Common')) {
+            if (isset($db->function) && is_object($db->function) && is_a($db->function, 'MDB2_Driver_Function_Common')) {
                 return $db->function->now('time');
             }
Index: trunk/roundcubemail/program/lib/PEAR.php
===================================================================
--- roundcubemail/program/lib/PEAR.php  (revision 3073)
+++ trunk/roundcubemail/program/lib/PEAR.php    (revision 5222)
@@ -266,5 +266,5 @@
     function isError($data, $code = null)
     {
-        if (!is_a($data, 'PEAR_Error')) {
+        if (!is_object($data) || !is_a($data, 'PEAR_Error')) {
             return false;
         }
Index: trunk/roundcubemail/program/steps/mail/func.inc
===================================================================
--- roundcubemail/program/steps/mail/func.inc 2011-06-02 14:36:32.000000000 +0200
+++ roundcubemail/program/steps/mail/func.inc 2011-09-16 10:46:14.000000000 +0200
@@ -1591,7 +1591,7 @@
 {
   global $RCMAIL, $IMAP;

-  if (!is_a($message, rcube_message))
+  if (!is_object($message) || !is_a($message, 'rcube_message'))
     $message = new rcube_message($message);

   if ($message->headers->mdn_to && !$message->headers->mdn_sent &&

[star26bsd]

Backport for 0.5.4

[star26bsd]

Some further tests show that without your patch, I am able to force the server to issue GET requests to any URL I provide in the subject line of an email. A user does not even have to click on this email, the GET request is issued directly after login to RoundCube. Of course, Suhosin must not be active for this attack and PHP 5.3.8 must be used. For instance, a subject line of

 http://click.me/here

will result in a GET request of here.php issued to click.me by the server hosting RC:

srv3.xxx.xx - - [16/Sep/2011:14:10:01 +0200] "GET /here.php HTTP/1.0" 404 3959 "-" "-"

This can be used to force requests to certain URLs. It can also be used to DoS RoundCube servers by requesting large amounts of data. However, within the time spent I was not able to dynamically inject code or make responses of the requests visible or usable in any way. However, I definitely recommend releasing a security/reliability patch.

Thanks, Stephan A. Rickauer, Compass Security AG,  http://www.csnc.ch