RC can be DoS'ed by sending specific email
|Reported by:||star26bsd||Owned by:|
a user has an email in his inbox which has an amazon.de URL as subject only (see log message below, the server runs php 5.3.8 with latest suhosin, default config on latest apache on FreeBSD). When the user logs in to roundcube the 'loading' box is spinning forever. After disabling suhosin temporarily, the inbox can be displayed in roundcube properly.
The log files show:
Sep 15 21:05:03 <user.alert> srv3 suhosin: ALERT - Include filename ('http://www.amazon.de/Die-unglaubliche-Geschichte-Henry-Brown/dp/3499252899/ref=pd_bxgy_b_text_c.php') is an URL that is not allowed (attacker 'xx.xx.xx.x', file '/usr/local/www/roundcubemail-0.5.3/program/include/iniset.php', line 111)
This messages made me wonder why suhosin thinks there's an include going on. Line 111 of iniset.php shows:
It seems like roundcube wants to include what is displayed in the subject, which happens to be a url - and suhosin legitimately blocks this attempt.
In short, I can send an email to a user on a suhosin protected mail server and make his inbox unavailable. Needless to say, the user cannot delete this email himself via RoundCube. In my case, I had to delete the email file on the server to make roundcube show the inbox again.
I run Suhosin + RC for more than a year now without problems. However, I've upgraded to PHP 5.3.x recently, so I have reason to believe this effect is kinda related to new suhosin/PHP in combination with RC.