Roundcube Webmail Critical Security Vulnerability Report

Date: 2025-06-13
Severity: CRITICAL
CVSS Score: 9.8 (Critical)
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low (authenticated user)
User Interaction: None
Impact: Remote Code Execution
Reported: No. We have not had any luck getting package maintainers to look into "potential" vulnerabilities unless we can provide a current proof of concept. As most of what we patch does not have a POC at the time we patch, we ceased attempting to report and just patch it ourselves to future-proof.

Executive Summary

A critical remote code execution vulnerability was discovered in Roundcube Webmail affecting the eval_expression() method in roundcube/program/include/rcmail_output_html.php. The vulnerability allows authenticated users to execute arbitrary PHP code on the server through template injection attacks.

Vulnerability Details

Root Cause

The eval_expression() method (line 1266) uses PHP's eval() function to process user-controllable template expressions without proper validation:

return eval("return ($expression);");

Attack Surface

Location: roundcube/program/include/rcmail_output_html.php:1266
Method: eval_expression()
Called by: check_condition() → parse_conditions() → just_parse()

Attack Mechanism

The vulnerability can be exploited when user-controlled data is processed through Roundcube's template system:

Input Vector: User-controllable data reaches template processing
Template Injection: Malicious template expressions are injected
Expression Evaluation: eval_expression() processes the malicious input
Code Execution: eval() executes arbitrary PHP code

Example Exploit:

Template Expression: "><roundcube:if condition="system('id')">
Result: Remote command execution as web server user

Impact

Technical Impact Possible

Remote Code Execution: Execute arbitrary system commands
File System Access: Read/write any files accessible to web server
Database Compromise: Access database credentials and data
Server Takeover: Install backdoors, pivot to internal network

Remediation

Immediate Actions Taken

Core Vulnerability Fix

File: roundcube/program/include/rcmail_output_html.php

Implemented comprehensive validation system:

Added validate_expression() method with blacklist approach for dangerous functions
Modified eval_expression() to validate before execution
Malicious expressions are blocked and logged

Security Validation Implementation Details

Blacklist (Always Blocked):

System calls: system(), exec(), shell_exec(), passthru()
File operations: file_get_contents(), fopen(), readfile(), etc.
Database functions: mysql_*, mysqli_*, pg_*, etc.
Object/class access: ->, ::
Variable functions: $variable()
Code execution: eval(), assert(), create_function()
Process control: proc_*, pcntl_*
Network functions: socket_*, stream_*

Allowed Elements:

Valid namespaces: env:, config:, session:, cookie:, request:, browser:, template:
Safe functions: empty(), in_array(), asciiwords(), strlen(), trim(), etc.
Comparison operators: ==, !=, ===, !==
Logical operators: &&, ||, !
Ternary operators: ? :
Simple literals: strings, numbers, booleans

Validation Benefits:

Security: Comprehensive blocking of dangerous functions
Usability: Allows legitimate Roundcube template expressions
Flexibility: Easy to extend safe function list
Maintenance: Clear separation of concerns

Timeline

Discovery: Security analysis identified unsafe eval() usage in template processing
Verification: Confirmed exploitable through template injection
Mitigation: Implemented comprehensive validation system for template expressions
Current Status: Security measures applied and operational

Contact

security@codamail.com

References

Roundcube Official Site: https://roundcube.net/
OWASP Template Injection: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection
PHP eval() Security: https://www.php.net/manual/en/function.eval.php

Report Generated: 2025-06-13
Status: RESOLVED - Comprehensive security validation implemented