Roundcube Webmail Scanning
by Jose NazarioI’ve been watching this for a couple of weeks now, I saw some initial requests to look at some data to discover what they may be after. I’ve seen some data about known attack vectors, but I haven’t seen what may be going on with the new “msgimport” function and any attacks against that. It’s possible that the “msgimport” URI is just a distinct marker for Roundcube, it may also have a vulnerability I didn’t see in my cursory static analysis of the code.
In a message entitled Security update for 0.2-beta dated December 16, the authors fixed a couple of bugs. One allowed for a DoS by chewing up disk space, while the other allowed for code injection via the HTML conversion script “html2text”. Neither mentions the scanned-for script, “msgimport”. Looking over the Roundcube SVN pages I don’t see anything there, either.
So, I have a couple of weeks of logs to dig into … a bunch of scans. Where are they coming from? Not surprusingly, mostly the US according to this WWW server.
In this map, red shows the most serious source of scanners, blue is the least, and purple is in the middle. This may be more clear using a different representation of the data, a pie graph.
ATLAS sees it a bit different, though:
Country, Country Name, Attacks per subnet, Percent Total CH, "Switzerland", 0.24, 78.1% GB, "Great Britain", 0.06, 20.6% US, "United States", 0.00, 1.2% FR, "France", 0.00, 0.1% Other, N/A, 0.00, 0.0%
In ATLAS this is not a major source of attacks, however.
Scans by day starting January 1 of this year show no obvious signs. It doesn’t seem to be slowing or growing, it just seems to be a new background attack.
Finally, and perhaps most revealing, we can see what they’re scanning for. The “msgimport” script is the most popular, but the JS file “list.js” is also being scanned for. I quickly looked that over but didn’t see anything worrisome there; I may have missed something.
In short, something may be going on but I don’t know what it is.
Hi,
in regard to your comments about “disclosing” vulnerabilities, I don’t really like the general ton of your blog post. ;-)
Initially when we released the security update in December, the issues were about html2text and a possible DoS in the rendering of the quota img. We responded to those in a timely manner.
As for the msgimport script, the reason why this hasn’t been mentioned in Dec is that the msgimport script was renamed to msgimport.sh over 10 months ago. Now according to my rather poor mathematical skills that’s anywhere between February and March of last year (2008). And that’s the only reason.
As for backup to my claims:
http://trac.roundcube.net/log/trunk/roundcubemail/bin/msgimport.sh
I don’t recall any reports back then — I could be wrong though. We run public mailinglists (http://lists.roundcube.net) which are indexed by various other public archives, so in case you find an email reporting it, you can narrow down the date.
In the past 10 months, there have been roughly four releases (if you count the patches as their own release) where some people apparently decided not to update RoundCube to a more secure, more feature rich and also faster releases.
Aside from those we a) carry a low version number not for ‘web2 hype’ purposes but because we don’t recommend RoundCube for production, b) we frequently urge people to update, c) we ping maintainers of the RoundCube packages on various distros and d) we recommend and help people to setup RoundCube from SVN to ease the pain of upgrades.
Anyway, I don’t want to get all defensive even though the above reads like it. ;-) We are open to all feedback, we have nothing to hide, always feel free to talk to us, report bugs, give feedback and so on.
Cheers,
Till