Roundcube Webmail Remote Code Execution Vulnerability via PHP Object Deserialization

A remote code execution vulnerability has been identified in Roundcube Webmail versions prior to 1.5.10 and 1.6.x prior to 1.6.11. This vulnerability allows authenticated users to execute arbitrary code by exploiting the '_from' parameter in a URL, which is not properly validated in 'program/actions/settings/upload.php'. This lack of validation leads to PHP object deserialization, a common vector for such attacks.

Impact

Exploitation of this vulnerability allows for post-authentication remote code execution on the server where Roundcube is hosted.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to 'program/actions/settings/upload.php' with a crafted '_from' parameter that includes disallowed characters. The server will respond with an error, indicating that the input was rejected, but the malformed parameter can be used to manipulate the application's object handling in a way that executes arbitrary code.

Remediation

Users are advised to update to Roundcube Webmail versions 1.5.10 or 1.6.11.