Roundcube vulnerability ??
- Thread starter floyd
- Start date
floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,275
tillo
Verified User
I understand what you are saying, but my opinion is that the DirectAdmin is a product, and the integrator which have the responsibility to check what's there and what's unsecure is the server administrator, not DA developers.
Of course since DA is a commercial product, they have the moral obbligation to notify all of their customers about the vulnerability as soon as they are aware of it -- and that's what they have done (I've received an Email).
This is perfectly right: any software should have a "minimal" version for high security purposes or a list of base feature options when installing, or at the very least a dedicated list of features that can be removed afterwards.
This is missing on DA, but I'm not surprised: I'm not aware of any control panel with any of those, and like 99.9% of the software haven't got them.
People tend to forget that more features = more code, more code = more bugs, more bugs = more security risk. This is the most important lesson about security.
I agree with you. I wasn't saying that the DA developers are responsible for our server security, I was just saying that it would be nice if we had the opportunity to not install any or all nonessential apps in the DirectAdmin install script. The onus is still on us to decide which apps we are going to install and how to configure them, but the DA developers could help us out a little by making it easier to get rid of things we don't need right from the beginning.
No, that's not correct, and that is precisely what puzzled me when I installed DirectAdmin on a new server. I chose "NO" when it asked about any of the webmail apps including Roundcube and when the install was done I still had an old version of Roundcube installed, so apparently the way it works now is that it is asking only if you want the Custombuild script to manage/update Roundcube, but not whether it is going to be installed in the first place.
Ah, sorry 
You are right, it's done because of the following line in /usr/local/directadmin/scripts/exim.sh:
${SCRIPTPATH}/roundcube.sh
It installs squirrelmail, roundcube and uebimiau by default. You should email DirectAdmin support and ask them to fix the bug.
You are right, it's done because of the following line in /usr/local/directadmin/scripts/exim.sh:${SCRIPTPATH}/roundcube.sh
It installs squirrelmail, roundcube and uebimiau by default. You should email DirectAdmin support and ask them to fix the bug.
floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,275
I find it unlikely that people would have chosen "No" to roundcube before knowing about the vulnerability. Right after running the DirectAdmin install anybody could have easily removed it with a simple "rm -rf /var/www/html/roundcube*" but yet nobody did. Why? Because we all thought it was safe to run.
Its easy to say in hind sight "I never would have installed it." But in reality most people would have installed it. And the ones here wanting to have the choice, you had the choice to take 10 seconds out of your day to remove it, but you didn't. And you have the choice to remove anything that DA installs by default.
Its easy to say in hind sight "I never would have installed it." But in reality most people would have installed it. And the ones here wanting to have the choice, you had the choice to take 10 seconds out of your day to remove it, but you didn't. And you have the choice to remove anything that DA installs by default.
tillo
Verified User
I agree, again, with floyd.
That's why I said dedicated in my last post.
1) There is a big difference between something like "Do you want to use defaults?" and "You may want to choose exactly which base software to install in your distribution, because any extra feature can potentially undermine the security of your server".
2) Same difference resides between a list of KB in the support area that explains how to deactivate some services, and a single KB stating "For security reasons you may want to deactivate one to all of those services if unused: link, link, link...", and a link to this page should be printed out after the install if there isn't point 1).
That's proactive security the idea behind is that "sometimes, less is more". This way customers will have a more secure system, and won't miss the extra features.
That's why I said dedicated in my last post.
1) There is a big difference between something like "Do you want to use defaults?" and "You may want to choose exactly which base software to install in your distribution, because any extra feature can potentially undermine the security of your server".
2) Same difference resides between a list of KB in the support area that explains how to deactivate some services, and a single KB stating "For security reasons you may want to deactivate one to all of those services if unused: link, link, link...", and a link to this page should be printed out after the install if there isn't point 1).
That's proactive security
the idea behind is that "sometimes, less is more". This way customers will have a more secure system, and won't miss the extra features.
Last edited:
Not to flog a dead horse or anything but my logs are showing lots of active scans for roundcube vulnerabilities this morning, you should probably check yours too.
http://isc.sans.org/diary.html?storyid=5659
Just to add a little (off) color, two of the culprits start their probes with GET /nonexisten****, and GET /thisdoesnotexistahaha.php which are old and tired. Looks like some botnet trying to learn new tricks. Too lazy to count the number of IP's involved, maybe 2 dozen....
http://isc.sans.org/diary.html?storyid=5659
Just to add a little (off) color, two of the culprits start their probes with GET /nonexisten****, and GET /thisdoesnotexistahaha.php which are old and tired. Looks like some botnet trying to learn new tricks. Too lazy to count the number of IP's involved, maybe 2 dozen....
Last edited:
bassjuh
Verified User
nobaloney
NoBaloney Internet Svcs - In Memoriam †
On our older servers, running Apache 1.x and PHP 4, our servers return:
Jeff
On our newer servers, running Apache 2.x and PHP 5, our servers return no server signature at all.
Jeff
bassjuh
Verified User
Our apache did return the full string by default, disabled it now though.
floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,275
Just to add to this so everybody knows I believe its "ServerSignature Off" that disables it.
floyd, you are completely missing my point.
First, if someone isn't going to be using Roundcube, why in the world would they want it installed? I'm sure there are more than a couple people like me who rely primarily on externally hosted mail, and thus ANY webmail program is pointless. I specifically did not want it installed and did not think it would be installed if I chose "NO" during installation.
Wrong. Anybody could have done that but it was absolutely not clear that Roundcube was still installed if you chose "NO" to Roundcube during installation. Did you read what smtalk posted? Sure, I should have been more proactive to make sure things were not installed but that is not the point of this discussion. The simple point is that we should have an easy option to NOT install non-essential components right from the beginning. It is stupid to just install everything and then go and delete what you don't want when it would be extremely easy to have the script just not install what you don't want period.
Once again, my statements were referring to people who would not be using Roundcube, and therefore it would be ridiculous to install it if you aren't going to be using it. If the installation or documentation made it clear that you need to go in and remove anything you don't want that would be fine, but when there is a custom installer that walks you through applications with a YES/NO choice it seems pretty clear to me that choosing "NO" should mean that it doesn't get installed at all.
You seem to focus on how easy it is to remove Roundcube, but my whole point has been how easy it has been to think Roundcube wasn't installed from the beginning when it was.
floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,275
My point is that most would have installed roundcube anyway and therefore been susceptible.
The point of the discussion which I started is there was a roundcube vulnerability. BTW you're welcome.
If you would like to have a clear option to install or not to install then put it in the feature request.
The script is open source. Feel free to change it anyway you like.
I am glad I don't have to sit there and answer a bunch of question to install DA. I run one command and let it go. I can then remove what I don't want after its done what it does. Its a lot faster that way.
The point of the discussion which I started is there was a roundcube vulnerability. BTW you're welcome.
If you would like to have a clear option to install or not to install then put it in the feature request.
The script is open source. Feel free to change it anyway you like.
I am glad I don't have to sit there and answer a bunch of question to install DA. I run one command and let it go. I can then remove what I don't want after its done what it does. Its a lot faster that way.
I was never saying those that wanted to install Roundcube would have benefited from the option to not install it, obviously. So you're saying that because most users want to install Roundcube that no one should have the option in the install script to not install it when you choose "No, I don't want to use the defaults"?
Way to toot your own horn. I certainly have benefited from the info you have posted but actually I did not "discover" this vulnerability because you posted something about it. I found out about it similar to how you did because of noticing the issue on one of my servers.
As smtalk and I have already pointed out, there essentially IS already a clear option to install/not install it, but it is not functioning as how one would expect it to. That, again, is the point I was making.
I can fix a bug or change something in the script myself, but I'm trying to help make it more useful for everyone, not just myself. And I also don't want to have to maintain a special install script just for me.
Cool, that's great. That's why there is already an option for you to choose whether you want to use defaults or not. If you choose not to use defaults then obviously you have to answer some questions. If you want to install everything and then clean up unwanted stuff on your own, that's your prerogative. That doesn't mean everyone should have to do it that way.
Furthermore, I don't usually "answer a bunch of questions to install DA" either. I edit the options.conf file which clearly includes choices for webmail apps, all of which I have marked as "NO".
floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,275
dlong500 said:
My point in that is that I am the one who started the discussion and so I am very well aware of what the topic is. I don't need you to tell me the point of a discussion that I started.
dlong500 said:
No I don't. I don't answer any questions or edit any configuration files. I download the setup script and then I run one command to start the install as soon as its downloaded. I would hate to have to change that.
dlong500 said:
But what you are asking for them to do is probably going to force me to maintain my own or change the setup script. Essentially you are asking me to change to doing something you are not willing to do.
I guess my last point is that I like the way it is now. I have my opinion you have yours. Neither are right or wrong.
floyd, I'm not trying to argue with you and I really don't want to make you change the way you do things.
Can you clarify something for me from your last post? When you say:
I don't understand what you mean in reference to what I'm saying. You either have to give command line options to the install script or walk through the question/answer section. That function is already there. All I was saying is make it so that when you DO choose to edit the options.conf file or decide to use the question/answer mode that choosing "NO" to Roundcube will not install it. None of that would change the way you do things at all.
Isn't the whole point of the options.conf file supposed to be used for this purpose? To choose what apps (or versions of apps) are going to be installed?
Can you clarify something for me from your last post? When you say:
I don't understand what you mean in reference to what I'm saying. You either have to give command line options to the install script or walk through the question/answer section. That function is already there. All I was saying is make it so that when you DO choose to edit the options.conf file or decide to use the question/answer mode that choosing "NO" to Roundcube will not install it. None of that would change the way you do things at all.
Isn't the whole point of the options.conf file supposed to be used for this purpose? To choose what apps (or versions of apps) are going to be installed?
floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,275
You have to realize I install DA on average on a weekly basis. I have a file that contains all the things I have to do to not only set DA but all the other things and customizations I have to do. I cannot possibly remember every single thing so I do a lot of copying and pasting.
I paste this line to install DA
I edit the UID, LID and hostname. I don't have to answer any question. I don't have to edit any options file or config file.
You have made that clear. It appears that its only roundcube that had the problem.
Go back to post #55. You said:
How can I miss your point when I was not even commenting on anything you said. You are commenting on how things should or should not be installed. I am saying that people would have installed it anyway. These are two valid but very different points. I am not sure why you thought they were related.
I have to admit that I did start commenting on your point after this but where we are now has nothing to do with what you referred to when you said I was missing your point.
I had said:
You said I missed your point and then went on to talk about something different.
That's why we need different threads. We have different conversations going on here now in this one thread.
I paste this line to install DA
Code:
sh setup.sh UID LID hostname eth0I edit the UID, LID and hostname. I don't have to answer any question. I don't have to edit any options file or config file.
You have made that clear. It appears that its only roundcube that had the problem.
Go back to post #55. You said:
How can I miss your point when I was not even commenting on anything you said. You are commenting on how things should or should not be installed. I am saying that people would have installed it anyway. These are two valid but very different points. I am not sure why you thought they were related.
I have to admit that I did start commenting on your point after this but where we are now has nothing to do with what you referred to when you said I was missing your point.
I had said:
You said I missed your point and then went on to talk about something different.
That's why we need different threads. We have different conversations going on here now in this one thread.