关联漏洞
标题:
Roundcube Webmail 安全漏洞
(CVE-2025-49113)
描述:Roundcube Webmail是Roundcube开源的一款基于浏览器的开源IMAP客户端,它支持地址薄管理、信息搜索、拼写检查等。 Roundcube Webmail 1.5.10之前版本和 1.6.11之前版本存在安全漏洞,该漏洞源于未验证_from参数,可能导致PHP对象反序列化攻击。
描述
A powerful Python scanner to detect CVE-2025-49113 vulnerability in Roundcube Webmail. Developed by Issam Junior (@issamiso).
介绍
<img src="https://raw.githubusercontent.com/issamjr/CVE-2025-49113-Scanner/refs/heads/main/img.jpg" />
# CVE-2025-49113 Scanner
## 🔍 Description
A powerful, multi-method Python scanner for detecting **CVE-2025-49113**, a critical remote code execution vulnerability in Roundcube Webmail.
- **CVE**: 2025-49113
- **Type**: Authenticated Remote Code Execution via unsafe PHP object deserialization
- **Affected Versions**: Roundcube < 1.5.10 and < 1.6.11
- **Author**: Issam Junior ([@issamiso](https://t.me/issamiso))
---
## 💥 Vulnerability Summary
`upload.php` in Roundcube Webmail does not validate the `'_from'` parameter, allowing injection of malicious serialized PHP objects. This enables a remote attacker (with valid session) to achieve **full remote code execution** (RCE) on the mail server.
---
## 🧪 Detection Methods
This scanner uses **three different techniques** to detect the vulnerability:
1. **Error-Based Analysis** – Detects typical PHP fatal errors in the response.
2. **Serialization Leakage** – Identifies object serialization responses.
3. **Header Anomaly Checks** – Detects headers suggesting exploitable configurations (like exposed `X-Powered-By: PHP`).
The script also **automatically detects Roundcube** installations before testing.
---
## ✅ Protection & Mitigation
- Upgrade to **Roundcube 1.5.10** or **1.6.11**
- Filter and sanitize user input
- Disable unserialize usage or apply secure serialization handlers
- Enforce secure cookie attributes (`HttpOnly`, `SameSite`, etc.)
---
## ⚙️ Usage
### Clone and install requirements:
```bash
git clone https://github.com/issamjr/CVE-2025-49113-Scanner.git
cd CVE-2025-49113-Scanner
pip install -r requirements.txt
```
### Scan a single target:
```bash
python3 scanner.py --url https://target-roundcube.com/
```
### Scan a list of targets:
```bash
python3 scanner.py --list targets.txt
```
> Targets must be authenticated or simulate session using cookies (default uses `roundcube_sessid=fake-session`).
---
## 📁 Example File (`targets.txt`)
```
https://mail1.example.com
https://webmail.anotherdomain.org
```
---
## 🔐 Disclaimer
This tool is intended **only for authorized security auditing and educational purposes**.
The author is not responsible for any damage caused by misuse.
---
## 🛠️ Contact
Developer: **Issam Junior**
Telegram: [@issamiso](https://t.me/issamiso)
GitHub: [github.com/issamjr](https://github.com/issamjr)
文件快照
[4.0K] /data/pocs/73ab777c1f8210a743c3e81aa1caf76051df6086
├── [ 43K] img.jpg
├── [2.4K] README.md
├── [ 18] requirements.txt
└── [4.9K] scanner.py
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。