roundcubemail incompatible with php-5.6

Franz Skale i.bin at dah.am
Thu Jan 15 19:31:36 CET 2015



Hi Thomas,
this is a suhosin issue with url variables that are zero in length.
The variable get dropped in the reqeust and that will result in a null
byte attack.
Read the git:
https://github.com/stefanesser/suhosin/issues/62


Rgds.

Franz

 Am 15.01.15 um 17:20 schrieb Thomas Spuhler:
> this was tread upgrading from 3.0 to 3.3, but has nothing to do with upgrading kolab
>
> I am still working on this and I think I am honing in on the problem:
> I upgraded everything but not:
> Roundcubemail
> php (to php2.6)
> apache
>
> and I have not problem to login. After updating php and apache, I get the following error in the 
> journalctl  httpd.service
> Jan 14 17:59:41 vbox.btspuhler.com suhosin[4907]: ALERT - ASCII-NUL chars not allowed within request 
> variables - dropped variable '_url' (attacker '127.0.0.1', file '/usr/share/roundcubemail/index.php')
> Jan 14 17:59:41 vbox.btspuhler.com suhosin[4907]: ALERT - dropped 1 request variables - (0 in GET, 1 
> in POST, 0 in COOKIE) (attacker '127.0.0.1', file '/usr/share/roundcubemail/index.php')
>
> Has anybody else experienced this? 
>
>
>
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20150115/7bb23008/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4254 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.kolab.org/pipermail/users/attachments/20150115/7bb23008/attachment.p7s>


More information about the users mailing list