Comments on: Roundcube Webmail Scanning http://asert.arbornetworks.com/2009/01/roundcube-webmail-scanning/ A weblog dedicated to educating the community on security threats that matter Fri, 23 Jul 2010 13:52:39 +0000 hourly 1 http://wordpress.org/?v=abc By: GlasBlog » Blog Archive » Roundcube http://asert.arbornetworks.com/2009/01/roundcube-webmail-scanning/comment-page-1/#comment-195781 GlasBlog » Blog Archive » Roundcube Wed, 11 Feb 2009 10:14:35 +0000 http://asert.arbornetworks.com/?p=656#comment-195781 [...] dazu gibt es von SANS Internet Storm Center (erster Teil, zweiter Teil), ASERT Arbor Networks (Statistiken), Heise UK (Vulnerability in 0.2-1.alpha und 0.2-3.beta, das CVE dazu), Virus Blog (Webmail [...] [...] dazu gibt es von SANS Internet Storm Center (erster Teil, zweiter Teil), ASERT Arbor Networks (Statistiken), Heise UK (Vulnerability in 0.2-1.alpha und 0.2-3.beta, das CVE dazu), Virus Blog (Webmail [...]

]]> By: till http://asert.arbornetworks.com/2009/01/roundcube-webmail-scanning/comment-page-1/#comment-192919 till Fri, 23 Jan 2009 23:52:36 +0000 http://asert.arbornetworks.com/?p=656#comment-192919 Jose, I'm not objecting to you or anyone else providing background infos and/or full disclosure in general. I was just saying that we did not let anything slip under the table in the accouncements and releases. Cheers+Thanks, Till Jose,

I’m not objecting to you or anyone else providing background infos and/or full disclosure in general. I was just saying that we did not let anything slip under the table in the accouncements and releases.

Cheers+Thanks,
Till

]]> By: Jose Nazario http://asert.arbornetworks.com/2009/01/roundcube-webmail-scanning/comment-page-1/#comment-192264 Jose Nazario Mon, 19 Jan 2009 00:24:16 +0000 http://asert.arbornetworks.com/?p=656#comment-192264 till, please re-read the blog post very carefully and with an open approach. neither i nor anyone is saying you're not disclosing or addressing issues when your team finds out about them. based on my experience in this field, typically when someone begins scanning for a specific URI like this it's to attack a specific vulnerability in that component. so what i am saying is that if there is a vulnerability that some folks - aka black hats - know about it's not known to the wider community. nothing more, and certainly nothing saying anything disagreeable about roundcube or that any of the developers haven't been responsible or forthcoming. my only point in this blog post has been to get some stats out there and to share some info that hadn't been shared publicly about the origins and targets of these scans, that's all. till, please re-read the blog post very carefully and with an open approach. neither i nor anyone is saying you’re not disclosing or addressing issues when your team finds out about them. based on my experience in this field, typically when someone begins scanning for a specific URI like this it’s to attack a specific vulnerability in that component. so what i am saying is that if there is a vulnerability that some folks – aka black hats – know about it’s not known to the wider community.

nothing more, and certainly nothing saying anything disagreeable about roundcube or that any of the developers haven’t been responsible or forthcoming.

my only point in this blog post has been to get some stats out there and to share some info that hadn’t been shared publicly about the origins and targets of these scans, that’s all.

]]> By: rawsome http://asert.arbornetworks.com/2009/01/roundcube-webmail-scanning/comment-page-1/#comment-192156 rawsome Sat, 17 Jan 2009 16:18:09 +0000 http://asert.arbornetworks.com/?p=656#comment-192156 Yea, it's super aggressive. I've seen the same host hitting boxes in three locations on three networks. The abuse team at superb.net isn't very hasty about taking down their compromised hosts either. Yea, it’s super aggressive. I’ve seen the same host hitting boxes in three locations on three networks. The abuse team at superb.net isn’t very hasty about taking down their compromised hosts either.

]]> By: till http://asert.arbornetworks.com/2009/01/roundcube-webmail-scanning/comment-page-1/#comment-192041 till Sat, 17 Jan 2009 02:13:01 +0000 http://asert.arbornetworks.com/?p=656#comment-192041 Hi, in regard to your comments about "disclosing" vulnerabilities, I don't really like the general ton of your blog post. ;-) Initially when we released the security update in December, the issues were about html2text and a possible DoS in the rendering of the quota img. We responded to those in a timely manner. As for the msgimport script, the reason why this hasn't been mentioned in Dec is that the msgimport script was renamed to msgimport.sh over 10 months ago. Now according to my rather poor mathematical skills that's anywhere between February and March of last year (2008). And that's the only reason. As for backup to my claims: http://trac.roundcube.net/log/trunk/roundcubemail/bin/msgimport.sh I don't recall any reports back then -- I could be wrong though. We run public mailinglists (http://lists.roundcube.net) which are indexed by various other public archives, so in case you find an email reporting it, you can narrow down the date. In the past 10 months, there have been roughly four releases (if you count the patches as their own release) where some people apparently decided not to update RoundCube to a more secure, more feature rich and also faster releases. Aside from those we a) carry a low version number not for 'web2 hype' purposes but because we don't recommend RoundCube for production, b) we frequently urge people to update, c) we ping maintainers of the RoundCube packages on various distros and d) we recommend and help people to setup RoundCube from SVN to ease the pain of upgrades. Anyway, I don't want to get all defensive even though the above reads like it. ;-) We are open to all feedback, we have nothing to hide, always feel free to talk to us, report bugs, give feedback and so on. Cheers, Till Hi,

in regard to your comments about “disclosing” vulnerabilities, I don’t really like the general ton of your blog post. ;-)

Initially when we released the security update in December, the issues were about html2text and a possible DoS in the rendering of the quota img. We responded to those in a timely manner.

As for the msgimport script, the reason why this hasn’t been mentioned in Dec is that the msgimport script was renamed to msgimport.sh over 10 months ago. Now according to my rather poor mathematical skills that’s anywhere between February and March of last year (2008). And that’s the only reason.

As for backup to my claims:
http://trac.roundcube.net/log/trunk/roundcubemail/bin/msgimport.sh

I don’t recall any reports back then — I could be wrong though. We run public mailinglists (http://lists.roundcube.net) which are indexed by various other public archives, so in case you find an email reporting it, you can narrow down the date.

In the past 10 months, there have been roughly four releases (if you count the patches as their own release) where some people apparently decided not to update RoundCube to a more secure, more feature rich and also faster releases.

Aside from those we a) carry a low version number not for ‘web2 hype’ purposes but because we don’t recommend RoundCube for production, b) we frequently urge people to update, c) we ping maintainers of the RoundCube packages on various distros and d) we recommend and help people to setup RoundCube from SVN to ease the pain of upgrades.

Anyway, I don’t want to get all defensive even though the above reads like it. ;-) We are open to all feedback, we have nothing to hide, always feel free to talk to us, report bugs, give feedback and so on.

Cheers,
Till

]]>