1

Topic: Security: XSS vulnerability in roundcubemai-0.2-stable

Hi, all.

All users use iRedMail-0.4.0 which ships roundcubemail-0.2-stable should
apply this patch *as soon as possible*.

Description:

   There's a cross-site scripting (XSS) vulnerability in RoundCube
   Webmail (roundcubemail) 0.2 stable allows remote attackers to inject
   arbitrary web script or HTML via the background attribute embedded
   in an HTML e-mail message.

Reference:

   * CVE-2009-0413
     http://cve.mitre.org/cgi-bin/cvename.cg … -2009-0413

Patch attachted. Please follow the steps to apply it.

   * Backup your current roundcubemail directory. e.g. copy the whole
     directory to /opt/backup/.

# cp -rfp /var/www/roundcubemail-0.2-stable/ /opt/backup/

   * Download the patch, upload it to your mail server. We assume
     you upload it to /opt/

   * Change directory and apply the patch:

# cd /var/www/roundcubemail-0.2-stable/
# patch -p1 < /opt/roundcubemail-CVE-2009-0413.patch
patching file program/lib/washtml.php

2

Re: Security: XSS vulnerability in roundcubemai-0.2-stable

Thank you.

3

Re: Security: XSS vulnerability in roundcubemai-0.2-stable

Successfully applied.