关联漏洞
标题:
Roundcube Webmail 安全漏洞
(CVE-2025-49113)
描述:Roundcube Webmail是Roundcube开源的一款基于浏览器的开源IMAP客户端,它支持地址薄管理、信息搜索、拼写检查等。 Roundcube Webmail 1.5.10之前版本和 1.6.11之前版本存在安全漏洞,该漏洞源于未验证_from参数,可能导致PHP对象反序列化攻击。
介绍
# Roundcube RCE Lab (CVE-2025-49113)
[](https://github.com/codespaces/new?repo=YOUR_USERNAME/YOUR_REPOSITORY_NAME)
[](https://opensource.org/licenses/MIT)
A hands-on, containerized lab environment to simulate and exploit a critical Post-Authentication RCE vulnerability in Roundcube Webmail, identified as `CVE-2025-49113`.
## 📖 About The Vulnerability
This lab demonstrates a sophisticated attack chain against the Roundcube webmail client. The vulnerability is a **Post-Authentication Remote Code Execution (RCE)** caused by improper handling of PHP session data, leading to **PHP Object Deserialization**.
An authenticated attacker can craft a malicious PHP object, inject it into the server's session data through an endpoint like the image upload functionality, and then trigger its deserialization by performing a seemingly benign action, such as logging out. This forces the server to execute arbitrary code provided by the attacker.
### Key Concepts
- **PHP Object Injection:** The core of the attack, where a serialized PHP object is passed into the application.
- **Gadget Chain:** A sequence of classes and methods within the application's codebase (`Crypt_GPG_Engine` in this case) that can be abused by the deserialization process to perform unintended actions.
- **Session Corruption:** The technique used to inject the malicious object into the user's server-side session.
---
## 🎯 Live Simulation Lab
This repository contains a vulnerable Roundcube instance ready for you to exploit. The lab can be run instantly in the cloud or on your local machine.
### Method 1: Run in GitHub Codespaces (Recommended)
This is the easiest way to get started. It provides a pre-configured, cloud-based environment in your browser.
1. **Launch Codespace:** Click the "Open in GitHub Codespaces" badge at the top of this README.
[](https://github.com/codespaces/new?repo=hackmelocal/CVE-2025-49113-Simulation)
2. **Wait for Setup:** GitHub will prepare your environment. Once complete, a terminal will appear.
3. **Start the Vulnerable Services:** In the VS Code terminal, run the following single command:
```bash
docker compose up
```
This will start the vulnerable Roundcube instance, a mail server, and a database. You will see a "Ports" tab appear. Click the link for Port `8080` to open Roundcube in a new browser tab.
4. **Perform the Exploit:**
- Open a **new terminal** in your Codespace (Click the `+` icon in the terminal panel).
- Follow the instructions in the "🚀 How to Run the Exploit" section below.
### Method 2: Run Locally
Run the entire lab on your own machine with Docker.
**Prerequisites:**
- [Docker](https://docs.docker.com/get-docker/) installed.
- [Docker Compose](https://docs.docker.com/compose/install/) installed.
**Instructions:**
1. **Clone the Repository:**
```bash
git clone https://github.com/hackmelocal/CVE-2025-49113-Simulation.git
cd CVE-2025-49113-Simulation
```
2. **Start the Vulnerable Services:** In your terminal, run the command:
```bash
docker compose up
```
3. **Access Roundcube:** Open your web browser and navigate to `http://localhost:9876`.
4. **Perform the Exploit:**
- Open a **new, separate terminal window**.
- Follow the instructions in the next section.
文件快照
[4.0K] /data/pocs/f4d22076bbf83404f8f9d6888f1a48db47c40bf3
├── [ 744] docker-compose.yml
├── [4.8K] installer.sh
└── [3.4K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。