Roundcube Webmail Local and Private URL Fetch Bypass Vulnerability

A vulnerability in Roundcube Webmail's HTML sanitization process for message rendering allows loopback, localhost, RFC1918, link-local, and ULA URLs to be accessed, even when remote content loading is disabled. This issue can be exploited by a remote attacker who sends an HTML email that, when previewed, causes the recipient's browser to make requests to local or private-network services.

Impact

Exploitation of this vulnerability could lead to unauthorized access or interference with local or private-network services, potentially causing disruption or unauthorized data access.

Reproduction

The vulnerability can be reproduced by sending an HTML email containing specific URLs that are normally disallowed, such as localhost or private-network addresses, to a Roundcube Webmail user. When the email is previewed, the recipient's browser will inadvertently send requests to the specified local or private-network services, bypassing Roundcube's URL sanitization controls.

Remediation

Users can update to Roundcube Webmail versions 1.6.16 or 1.7.1, both of which include the necessary fix. Instructions for downloading these versions are available on the Roundcube GitHub Releases page.