Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

Security updates 0.8.6 and 0.7.3

We just published new releases which fix a recently reported vulnerability that allows an attacker to access files on the server. Please update your installations with the new versions or patch them with the fix which is also published in the downloads section or our sourceforge.net page.

Download the latest version from http://roundcube.net/download

Patch for 0.9.x: http://ow.ly/jtQD0
Patch for 0.8.x: http://ow.ly/jtQHM
Patch for 0.7.x: http://ow.ly/jtQK0
Patch for 0.6: http://ow.ly/jtQNd

In order to find out whether one of your users has vulnerable preferences, you can run the following query on the Roundcube user database:

SELECT * FROM users WHERE preferences LIKE '%generic_message_footer%'

If this returns any results, you should block that user because he or she most likely tried to exploit your system.

And here's some background about the vulnerability: http://lists.roundcube.net/pipermail/dev/2013-March/022328.html

Posted by Thomas Bruederli 2013-03-27