Fortinet Discovers Roundcube Webmail Cross-Site Request Forgery Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered a cross-site request forgery (CSRF) vulnerability in Roundcube webmail.
Roundcube is a free and open source webmail solution with a desktop-like user interface which is easy to install/configure and that runs on a standard LAMPP server.
The vulnerability exists due to insufficient anti-CSRF protection. It could be exploited to do unwanted file downloads.
Roundcube is a free and open source webmail solution with a desktop-like user interface which is easy to install/configure and that runs on a standard LAMPP server.
The vulnerability exists due to insufficient anti-CSRF protection. It could be exploited to do unwanted file downloads.
Solutions
FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:Roundcube.Webmail.AttachmentZipDownload.CSRF
Released Sep 13, 2016
Users should apply the solution provided by Roundcube.
Additional Information
The vulnerability was fixed in Roundcube webmail version 1.1.5.