### Vulnerability Overview This update addresses two critical security vulnerabilities: 1. **INP Injection and CRLF Bypass**: A vulnerability exists in the mail search functionality, allowing INP injection attacks and enabling attackers to bypass input filtering using CRLF (Carriage Return Line Feed) characters. 2. **Arbitrary File Write via Unsafe Deserialization**: An unsafe deserialization flaw in the Redis/Newslice session handler allows remote attackers to execute arbitrary PHP code and write files to the server. --- ### Affected Scope - **Project**: Roundcube Webmail (`roundcube/roundcubemail`) - **Version**: `release-1.5` (specifically patches from 1.5.1 to 1.5.14) - **Affected Files**: - `program/include/rcmail.php` - `program/actions/mail/search.php` - `program/actions/mail/send.php` --- ### Fix/Remediation - **INP Injection & CRLF Bypass Fix**: The direct handling of the `$_REQUEST['inp']` parameter in both `search.php` and `send.php` has been removed. This eliminates the vulnerable filtering logic that could be bypassed via CRLF injection. - **Unsafe Deserialization Fix**: The session handler logic in `rcmail.php` has been updated to prevent unsafe deserialization, mitigating the risk of arbitrary file write and remote code execution. --- ### Related Code (Fix Code Snippets) **`program/actions/mail/search.php` – Fix:** ```diff - $_REQUEST['inp'] = preg_replace('/[^a-zA-Z0-9]/', '', $_REQUEST['inp']); ``` **`program/actions/mail/send.php` – Fix:** ```diff - $message_id = preg_replace('/[^a-zA-Z0-9]/', '', $_REQUEST['inp']); ``` **`program/include/rcmail.php` – Fix (partial):** ```diff + if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { + // ... (additional logic for handling forwarded IP, mitigating IP spoofing) + } ```