Security updates 1.3.3, 1.2.7 and 1.1.10 released
We just published updates to all stable versions from 1.1.x onwards delivering fixes for a recently discovered file disclosure vulnerability in Roundcube Webmail.
Apparently this zero-day exploit is already being used by hackers to read
Roundcube’s configuration files. It requires a valid username/password as the
exploit only works with a valid session. More details will be published soon under
The Roundcube series 1.0.x is not affected by this vulnerability but we nevertheless back-ported the fix in order to protect from yet unknown exploits.
We strongly recommend to update all productive installations of Roundcube with either one of these versions.
In order to check whether your Roundcube installation has been compromised
check the access logs for requests like
As mentioned above, the file disclosure only works for authenticated users and
by finding such requests in the logs you should also be able to identify the
account used for this unauthorized access. For mitigation we recommend to change
the all credentials to external services like database or LDAP address books
and preferably also the
des_key option in your config.