CVE-2011-4078
published 2011-11-03CVE-2011-4078: include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows remote attackers to trigger a GET request for an arbitrary…
PriorityP424medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
2.26%
80.8th percentile
include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows remote attackers to trigger a GET request for an arbitrary URL, and cause a denial of service (resource consumption and inbox outage), via a Subject header containing only a URL, a related issue to CVE-2011-3379.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 0.6+dfsg-1 (bookworm) | roundcube 0.6+dfsg-1 (bookworm) |
| roundcube | webmail | <= 0.5.4 | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2011-4078: roundcube - include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3...
vendor_debian·2011·CVSS 7.5
CVE-2011-4078 [HIGH] CVE-2011-4078: roundcube - include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3...
include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows remote attackers to trigger a GET request for an arbitrary URL, and cause a denial of service (resource consumption and inbox outage), via a Subject header containing only a URL, a related issue to CVE-2011-3379.
Scope: local
bookworm: resolved (fixed in 0.6+dfsg-1)
bullseye: resolved (fixed in 0.6+dfsg-1)
forky: resolved (fixed in 0.6+dfsg-1)
sid: resolved (fixed in 0.6+dfsg-1)
trixie: resolved (fixed in 0.6+dfsg-1)
GHSA
GHSA-w3fh-pxv3-4cx4: include/iniset
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2011-4078 [HIGH] GHSA-w3fh-pxv3-4cx4: include/iniset
include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows remote attackers to trigger a GET request for an arbitrary URL, and cause a denial of service (resource consumption and inbox outage), via a Subject header containing only a URL, a related issue to CVE-2011-3379.
OSV
CVE-2011-4078: include/iniset
osv·2011-11-03·CVSS 7.5
CVE-2011-4078 [HIGH] CVE-2011-4078: include/iniset
include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows remote attackers to trigger a GET request for an arbitrary URL, and cause a denial of service (resource consumption and inbox outage), via a Subject header containing only a URL, a related issue to CVE-2011-3379.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2010-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject [epel-6]
bugzilla·2011-10-26·CVSS 1.9
CVE-2010-4078 [LOW] CVE-2010-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject [epel-6]
CVE-2010-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject [epel-6]
epel-6 tracking bug for php-pear-MDB2: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
The behaviour of is_a() PHP routine has been restored back to that one <= php-v5.3.6:
See
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3379
for further information.
This means php-pear-MDB2 package, as shipped within Fedora EPEL 6 would NOT be affected by the CVE-2011-4078 issue. Closing this bug.
Bugzilla
CVE-2011-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject [fedora-15]
bugzilla·2011-10-26·CVSS 7.5
CVE-2011-4078 [HIGH] CVE-2011-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject [fedora-15]
CVE-2011-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject [fedora-15]
fedora-15 tracking bug for roundcubemail: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
The behaviour of is_a() PHP routine has been restored back to that one <= php-v5.3.6:
See
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3379
for further information.
This means roundcubemail package, as shipped with Fedora release of 15 would NOT be affected by the CVE-2011-4078 issue. Closing this bug.
Bugzilla
CVE-2011-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject
bugzilla·2011-10-26·CVSS 7.5
CVE-2011-4078 [HIGH] CVE-2011-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject
CVE-2011-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject
A security flaw was found in the way Round Cube Webmail, a browser-based multilingual IMAP client, processed certail email-messages containing URL link in the message Subject, when the Suhosin check for dangerous PHP files inclusion was enabled. A remote attacker could send a specially-crafted email message to the victim, leading to denial of service (situation, where victim could not open their mail INBOX folder with the crafted email message present).
References:
[1] http://trac.roundcube.net/ticket/1488086
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646675
[3] https://bugs.php.net/bug.php?id=55475
Discussion:
Relevant upstream
Bugzilla
CVE-2011-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject [fedora-all]
bugzilla·2011-10-26·CVSS 7.5
CVE-2011-4078 [HIGH] CVE-2011-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject [fedora-all]
CVE-2011-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraprojec
Bugzilla
CVE-2011-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject [epel-6]
bugzilla·2011-10-26·CVSS 7.5
CVE-2011-4078 [HIGH] CVE-2011-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject [epel-6]
CVE-2011-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject [epel-6]
epel-6 tracking bug for roundcubemail: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
The behaviour of is_a() PHP routine has been restored back to that one <= php-v5.3.6:
See
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3379
for further information.
This means roundcubemail package, as shipped with Fedora EPEL 6 release would NOT be affected by the CVE-2011-4078 issue. Closing this bug.
Bugzilla
CVE-2011-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject [epel-5]
bugzilla·2011-10-26·CVSS 7.5
CVE-2011-4078 [HIGH] CVE-2011-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject [epel-5]
CVE-2011-4078 php-pear-MDB2, roundcubemail: DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject [epel-5]
epel-5 tracking bug for php-pear-MDB2: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
The behaviour of is_a() PHP routine has been restored back to that one <= php-v5.3.6:
See
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3379
for further information.
This means php-pear-MDB2 package, as shipped within Fedora EPEL 5 would NOT be affected by the CVE-2011-4078 issue. Closing this bug.
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041http://openwall.com/lists/oss-security/2011/10/26/6http://trac.roundcube.net/ticket/1488086http://www.securityfocus.com/bid/50402https://exchange.xforce.ibmcloud.com/vulnerabilities/71025http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041http://openwall.com/lists/oss-security/2011/10/26/6http://trac.roundcube.net/ticket/1488086http://www.securityfocus.com/bid/50402https://exchange.xforce.ibmcloud.com/vulnerabilities/71025
2011-11-03
Published