Roundcubemail devel
parent: 26467583 | patch | commit | ignore whitespace
Aleksander Machniak
2015-02-05 f6336f7f7ec7e65290b6fde23b8fd64627fe15b8 
Fix security issue in DBMail driver of password plugin (#1490261)

Conflicts:

	CHANGELOG
3 files modified
20 ■■■■ changed files
CHANGELOG 1 ●●●● patch | view | raw | blame | history
plugins/password/drivers/dbmail.php 17 ●●●● patch | view | raw | blame | history
plugins/password/helpers/chgdbmailusers.c 2 ●●● patch | view | raw | blame | history 
 CHANGELOG


@@ -2,6 +2,7 @@


===========================




- Make SMTP error log more verbose - include server response and error code


- Fix security issue in DBMail driver of password plugin (#1490261)




RELEASE 1.0.5


-------------




 plugins/password/drivers/dbmail.php


@@ -20,10 +20,23 @@


    function save($currpass, $newpass)


    {


        $curdir   = RCUBE_PLUGINS_DIR . 'password/helpers';


        $username = escapeshellcmd($_SESSION['username']);


        $username = escapeshellarg($_SESSION['username']);


        $password = escapeshellarg($newpass);


        $args     = rcmail::get_instance()->config->get('password_dbmail_args', '');


        $command  = "$curdir/chgdbmailusers -c $username -w $password $args";




        exec("$curdir/chgdbmailusers -c $username -w $newpass $args", $output, $returnvalue);


        if (strlen($command) > 1024) {


            rcube::raise_error(array(


                'code' => 600,


                'type' => 'php',


                'file' => __FILE__, 'line' => __LINE__,


                'message' => "Password plugin: The command is too long."


                ), true, false);




            return PASSWORD_ERROR;


        }




        exec($command, $output, $returnvalue);




        if ($returnvalue == 0) {


            return PASSWORD_SUCCESS;




 plugins/password/helpers/chgdbmailusers.c


@@ -16,7 +16,7 @@


main(int argc, char *argv[])


{


  int cnt,rc,cc;


  char cmnd[255];


  char cmnd[1024];




  strcpy(cmnd, CMD);