Fortinet Discovers Roundcube Webmail Brute Force Vulnerability
Fortinet's FortiGuard Labs has discovered a brute-force vulnerability in Roundcube webmail.
Roundcube is a free and open source webmail solution with a desktop-like user interface which is easy to install/configure and it runs on a standard LAMPP server.
The vulnerability exists due to insufficient anti-brute-force protection. It can be exploited to gain users' Roundcube credentials.
SolutionsFortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:
Released Jan 04, 2016
Users should apply the solution provided by Roundcube.
The vulnerability was fixed in Roundcube webmail version 1.1.4.
This vulnerability was discovered by Zhouyuan Yang of Fortinet's FortiGuard Labs.