• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Plesk Rouncube and exploit CVE-2023-5631

M

M-Ruiter

New Pleskian
Looks like Roundcube is still at version 1.6.0 with latest plesk installations while only version 1.6.4 will fix this.
 
Plesk plans to update Roundcube to version 1.6.4, respectively 1.4.15 where this is not possible due to operating system limitations, in the upcoming release 18.0.57 which is scheduled for the middle of November.
 
Mid-November?

This is a security vulnerability that is already being exploited!

What's wrong with you?

You should fix / roll this out in a few hours!

With little understanding
Stephan Schröder
 
  • Like
Reactions: B_P
Hello together,
I assume when you ensure that you run the latest roundcube 1.6.3 shipped by plesk packages, that you should be able to implement the following changes manually that should be overwritten automatically as soon as plesk ships 1.6.4 (You may better wait for an official confirmation from the Plesk Team that this is save to be done or not):

All changes necessary can be found in the link below, so locate the files, back them up in a folder outside of it's original location and then apply the small changes and you should be good to go.
2 Files should be modified, where maybe the first one is enough, as the test directory sounds to me like it might be just used as auto test during package creation, but as I never packaged roundcube myself, you better change both to be sure:
- program/lib/Roundcube/rcube_washtml.php
- tests/Framework/Washtml.php

Changes needed can be copy and pasted from here:
github.com

Fix cross-site scripting (XSS) vulnerability in handling of SVG in HT… · roundcube/roundcubemail@7b2df52

…ML messages (#9168)
github.com github.com

Best regards
Flashdown - A simple Plesk user running Debian
 
Flashdown said:
Hello together,
I assume when you ensure that you run the latest roundcube 1.6.3 shipped by plesk packages, that you should be able to implement the following changes manually that should be overwritten automatically as soon as plesk ships 1.6.4 (You may better wait for an official confirmation from the Plesk Team that this is save to be done or not):

All changes necessary can be found in the link below, so locate the files, back them up in a folder outside of it's original location and then apply the small changes and you should be good to go.
2 Files should be modified, where maybe the first one is enough, as the test directory sounds to me like it might be just used as auto test during package creation, but as I never packaged roundcube myself, you better change both to be sure:
- program/lib/Roundcube/rcube_washtml.php
- tests/Framework/Washtml.php

Changes needed can be copy and pasted from here:
github.com

Fix cross-site scripting (XSS) vulnerability in handling of SVG in HT… · roundcube/roundcubemail@7b2df52

…ML messages (#9168)
github.com github.com

Best regards
Flashdown - A simple Plesk user running Debian
Click to expand...

I guess this would be a quick fix on any 18.0.56 Update #1 system:

Code: 
mv /usr/share/psa-roundcube/program/lib/Roundcube/rcube_washtml.php /usr/share/psa-roundcube/program/lib/Roundcube/rcube_washtml.php_bck
wget https://raw.githubusercontent.com/roundcube/roundcubemail/master/program/lib/Roundcube/rcube_washtml.php -P /usr/share/psa-roundcube/program/lib/Roundcube/
 
Mark_NLD said:
I guess this would be a quick fix on any 18.0.56 Update #1 system:

Code: 
mv /usr/share/psa-roundcube/program/lib/Roundcube/rcube_washtml.php /usr/share/psa-roundcube/program/lib/Roundcube/rcube_washtml.php_bck
wget https://raw.githubusercontent.com/roundcube/roundcubemail/master/program/lib/Roundcube/rcube_washtml.php -P /usr/share/psa-roundcube/program/lib/Roundcube/
Click to expand...
Well this looks dangerous to me.

Why?
-> First of all you are getting the file from the current master branch, usually when a version is released then this branch will be used for the next version, so this is what makes it dangerous in terms of possible incompatibilities.

Next, I didnt check if there where further changes done to this file between version 1.6.3 and 1.6.4 so there could be incompatible changes in it. This is why I suggested to do these changes for fixing the CVE manually once, if you check it yourself and find no other changes beeing done in this file, then you can grab it via the commit I am referring to, otherwise do it manually once and then you have a file to deploy.

Also creating the backup file in the same location is not that good as you will forget about this file and it will remain forever. The Debian Package Management Systems keeps track of the files coming from a Debian package and ensures this doesnt happen. Therefore better put the backup file into /root/

Also you are moving the old original file away, thus losing the current permissions, user and group assigned to it. So better copy the file for backup away and keep the original in it's place, then just override the file with cp and the permissions, user and group will remain.
 
Peter Debik said:
Please wait on the official update. Staff is already preparing it, and it will come very soon, probably within the next few days.
Click to expand...
... coming back to the discussion of the annual price increase. With the price increases we have seen since Plesk has been bought by WebPros, customers expect an excellent support.
An update "within the next few days" for a vulnerability (where a known fix in terms of an available update for an open source component exists) is clearly NOT what falls under excellent support. Anything > 24 hours is not acceptable here.
 
@B_P Sorry to hear that this is still not fast enough for you. Which other vendors do you know who have fixed this vulnerability in their panels faster? Are you aware that for similar issues, e.g. with smartphone operating systems and apps, with office software, popular email apps etc. such vulnerabilities normally take weeks to be fixed? Is the expectation of an instant fix realistic?
 
Flashdown said:
Well this looks dangerous to me.

Why?
-> First of all you are getting the file from the current master branch, usually when a version is released then this branch will be used for the next version, so this is what makes it dangerous in terms of possible incompatibilities.

Next, I didnt check if there where further changes done to this file between version 1.6.3 and 1.6.4 so there could be incompatible changes in it. This is why I suggested to do these changes for fixing the CVE manually once, if you check it yourself and find no other changes beeing done in this file, then you can grab it via the commit I am referring to, otherwise do it manually once and then you have a file to deploy.

Also creating the backup file in the same location is not that good as you will forget about this file and it will remain forever. The Debian Package Management Systems keeps track of the files coming from a Debian package and ensures this doesnt happen. Therefore better put the backup file into /root/

Also you are moving the old original file away, thus losing the current permissions, user and group assigned to it. So better copy the file for backup away and keep the original in it's place, then just override the file with cp and the permissions, user and group will remain.
Click to expand...

I have checked it and there where no further changes between 1.6.3 and 1.6.4 so you can apply the patch on 18.0.56 Update #1 by running this, at your own risk as I did:

cp /usr/share/psa-roundcube/program/lib/Roundcube/rcube_washtml.php /root/ cd /root/ && wget https://raw.githubusercontent.com/roundcube/roundcubemail/6ee6e7ae301e165e2b2cb703edf75552e5376613/program/lib/Roundcube/rcube_washtml.php && cp rcube_washtml.php.1 /usr/share/psa-roundcube/program/lib/Roundcube/rcube_washtml.php && echo done
 
You must log in or register to reply here.

Similar threads

J.Wick
Issue Multiple Vulnerabilities in PHP 5 thru 8.3.7 Could Allow for Remote Code Execution - PATCH NOW
Replies
2
Views
2K
Tobias Sorensson
T
D
Question vulnerability CVE-2021-21708 - PHP Code Execution
Replies
1
Views
2K
IgorG
IgorG
M
Question dovecot update when?
Replies
6
Views
2K
mow
M
P
Forwarded to devs Roundcube security updates 1.3.3, 1.2.7 and 1.1.10 released
Replies
2
Views
1K
IgorG
IgorG
burnley
Issue [17.5.3] Plesk for Linux patches, still a bloody disgrace
Replies
8
Views
2K
trialotto
T
Back
Top