Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-4078

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2011-4078
Last Modified 03 Jul 2012 12:04:03
Published 03 Nov 2011 11:55:00
Confidentiality Impact NONE NONE
Integrity Impact NONE NONE
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2011-4078

Summary

include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows remote attackers to trigger a GET request for an arbitrary URL, and cause a denial of service (resource consumption and inbox outage), via a Subject header containing only a URL, a related issue to CVE-2011-3379.

Vulnerable Systems

Application

  • Roundcube Webmail 0.1

  • Roundcube Webmail 0.1.1

  • Roundcube Webmail 0.2

  • Roundcube Webmail 0.2.1

  • Roundcube Webmail 0.3

  • Roundcube Webmail 0.3.1

  • Roundcube Webmail 0.4

  • Roundcube Webmail 0.4.1

  • Roundcube Webmail 0.4.2

  • Roundcube Webmail 0.5

  • Roundcube Webmail 0.5.1

  • Roundcube Webmail 0.5.2

  • Roundcube Webmail 0.5.3

  • Roundcube Webmail 0.5.4


References

CONFIRM - http://trac.roundcube.net/ticket/1488086

MLIST - [oss-security] 20111026 Re: CVE Request -- Round Cube Webmail -- DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject

XF - webmail-uri-dos(71025)

BID - 50402

HP - HPSBMU02786

HP - SSRT100877


Last Updated: 27 May 2016 10:57:23