Update Protection against Roundcubemail PHP Arbitrary Code Injection

Vulnerability
Protection

Check Point Reference:	CPAI-2009-013
Date Published:
Severity:
Source:	Securiteam
Industry Reference(s):	CVE-2008-5619
Protection Provided by:	IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? RoundCube Webmail version 0.2-beta and prior
Vulnerability Description A vulnerability has been identified in RoundCube Webmail, a browser-based IMAP client. The vulnerability could be triggered via a specially crafted POST request to compromise a vulnerable web server.

Update/Patch Available Apply the patch provided at: http://sourceforge.net/forum/forum.php?forum_id=898542.
Vulnerability Details The vulnerability is caused by input validation errors in the "oundcubemail/program/lib/html2text.php" script when processing HTML tags, allowing attackers to inject and execute arbitrary code via a specially crafted POST request.

Protection Overview
By enabling this protection, IPS-1 will detect and block attempts to POST PHP script test to the RoundCube server.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW 2, and select the User-Definable Variables protection group
3. Click A combination of filename and data which are user-defined to be bad (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: User-Defined Attacks
Description: A combination of filename and data which are user-defined to be bad

Legal Notice for Threat Center Advisories