Roundcube Webmail Pre-authentication SQL Injection Vulnerability in virtuser_query Plugin

A pre-authentication SQL injection vulnerability has been identified in the Roundcube Webmail virtuser_query plugin, affecting versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1. The vulnerability arises from a backslash escape bypass in the preg_replace() function, allowing for malicious SQL queries to be injected and potentially executed.

Impact

Exploitation of this vulnerability allows for pre-authentication SQL injection, where an attacker can manipulate SQL queries to the database. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a crafted request that exploits the backslash escape bypass in the virtuser_query plugin. This can be done by replacing certain placeholders in the SQL query with injected SQL code, taking advantage of the way user input is handled and sanitized before being executed as a database query.

Remediation

Users are advised to update to Roundcube Webmail versions 1.6.16 or 1.7.1, both of which include the necessary fix for this vulnerability. Instructions for updating can be found in the release notes on the Roundcube GitHub repository.