Download Roundcube Webmail 1.0.12 / 1.1.10 / 1.2.7 / 1.3.3

Due to a security issue, updates have been released for Roundcube Webmail versions 1.1, 1.2 and 1.3. Version 1.0 is not affected by this problem, despite that an update has also been released. This email web client written in PHP uses Ajax technology to display the user interface, which gives a modern and smooth impression. Roundcube Webmail includes support for shared folders and namespaces, internationalized domain names and smtp-delivery status notifications. In addition, the user interface for imap folders has been modified to provide more space for extensions and plugins. The release notes for this release are as follows:

Security updates 1.3.3, 1.2.7 and 1.1.10 released
We just published updates to all stable versions from 1.1.x onwards delivering fixes for a recently discovered file disclosure vulnerability in Roundcube Webmail. Apparently this zero-day exploit is already being used by hackers to read Roundcube’s configuration files. It requires a valid username/password as the exploit only works with a valid session. More details will be published soon under CVE-2017-16651.

The Roundcube series 1.0.x is not affected by this vulnerability but we nevertheless back-ported the fix in order to protect from yet unknown exploits.

See the full changelog for the according version in the release notes on the Github download pages: v1.3.3, v1.2.7, v1.1.10 v1.0.12

We strongly recommend to update all productive installations of Roundcube with either one of these versions.

Mitigation

In order to check whether your Roundcube installation has been compromised check the access logs for requests like ?_task=settings&_action=upload-display&_from=timezone. As mentioned above, the file disclosure only works for authenticated users and by finding such requests in the logs you should also be able to identify the account used for this unauthorized access. For mitigation we recommend to change the all credentials to external services like database or LDAP address books and preferably also the des_key option in your config.