Mayor bug in Roundcube webmail

D

Djunity

Verified User
Joined
Mar 9, 2008
Messages
243
Location
Holland
Last december roundcube updated a mayor bug in the webmail script see there website for this message
Security update for 0.2-beta2008/12/16

There were two security issues reported which are now fixed. The first was as possible code injection using the html2text conversion script. The other exploit used the unchecked size parameters of the quota image to let PHP create huge images eating up all the server memory. (0 comments)
Click to expand...

Currently there are people who are scanner over the net using google for people who have Roundcube our other php programs with the intention to hack those servers and believe me they can. They found some exploids in those programs.

We got hit today they took out 2 of our servers.
 
It's been a couple months since that vulnerability got public, I can't believe there is still so many administrators that don't care enough about the software their servers run and don't update them at least once a week...

I know Djunity will care from now on, as all the people that in the last two months asked for help because their servers have been "hacked" with "exploids"... but I think that everyone else needs this:

If you care about the security of your services (reliability, along with data theft and corruption) make sure to hire someone that is capable to do that.
If you don't know how to secure your servers, they will be compromised. It's impossible to offer an Internet service without spending money on their security: either you have to learn to do it, or to hire someone that learned it.

I'm not asking everyone to care because I'm a saint, but because I'm worried that one day we will end with a zombie/botnet situation just like with almost any Windows box on this planet, only it will not be about home/ADSL lines, but 100Mbps multihomed connections. And this means pain and suffering for everyone.
 
This guide contains tips to help admins to at least automate notifications of updates with custombuild:
http://help.directadmin.com/item.php?id=247

There are options to have it update things automatically, but it cannot replace a human admin. Relying on automation of updates makes people lazy in understanding what's going on, hence I'm not a fan ;) The email "notifications" feature is good though.

John
 
You must log in or register to reply here.
Back
Top