roundcubemail incompatible with php-5.6

Thomas Spuhler thomas.spuhler at btspuhler.com
Thu Jan 15 19:42:30 CET 2015


On Thursday, January 15, 2015 07:31:36 PM Franz Skale wrote:
> Hi Thomas,
> this is a suhosin issue with url variables that are zero in length.
> The variable get dropped in the reqeust and that will result in a null
> byte attack.
> Read the git:
> https://github.com/stefanesser/suhosin/issues/62
> 
> 
> Rgds.
> 
> Franz
> 
>  Am 15.01.15 um 17:20 schrieb Thomas Spuhler:
> > this was tread upgrading from 3.0 to 3.3, but has nothing to do with upgrading kolab
> > 
> > I am still working on this and I think I am honing in on the problem:
> > I upgraded everything but not:
> > Roundcubemail
> > php (to php2.6)
> > apache
> > 
> > and I have not problem to login. After updating php and apache, I get the following error in the
> > journalctl  httpd.service
> > Jan 14 17:59:41 vbox.btspuhler.com suhosin[4907]: ALERT - ASCII-NUL chars not allowed within
> > request variables - dropped variable '_url' (attacker '127.0.0.1', file
> > '/usr/share/roundcubemail/index.php') Jan 14 17:59:41 vbox.btspuhler.com suhosin[4907]: ALERT -
> > dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker '127.0.0.1', file
> > '/usr/share/roundcubemail/index.php')
> > 
> > Has anybody else experienced this?
> > 
> > 
> > 
> > _______________________________________________
> > users mailing list
> > users at lists.kolab.org
> > https://lists.kolab.org/mailman/listinfo/users


Thanks a lot for the reply. This makes sense why I cannot login in roundcube anymore.
I will post this on our Mageia developer ml.

-- 
Best regards
Thomas Spuhler

All of my e-mails have a valid digital signature
ID 60114E63
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.kolab.org/pipermail/users/attachments/20150115/26f155ae/attachment.sig>


More information about the users mailing list