CVE-2011-4078 : include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3

include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows remote attackers to trigger a GET request for an arbitrary URL, and cause a denial of service (resource consumption and inbox outage), via a Subject header containing only a URL, a related issue to CVE-2011-3379.

Published 2011-11-03 15:55:01

Updated 2017-08-29 01:30:27

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2011-4078

Roundcube » Webmail
Versions up to, including, (<=) 0.5.4
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.1 Update Beta
cpe:2.3:a:roundcube:webmail:0.1:beta:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.1 Update RC1
cpe:2.3:a:roundcube:webmail:0.1:rc1:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.1 Update Beta2
cpe:2.3:a:roundcube:webmail:0.1:beta2:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.1
cpe:2.3:a:roundcube:webmail:0.1:*:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.1 Update RC2
cpe:2.3:a:roundcube:webmail:0.1:rc2:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.1 Update Alpha
cpe:2.3:a:roundcube:webmail:0.1:alpha:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.1.1
cpe:2.3:a:roundcube:webmail:0.1.1:*:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.2
cpe:2.3:a:roundcube:webmail:0.2:*:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.2 Update Alpha
cpe:2.3:a:roundcube:webmail:0.2:alpha:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.2.1
cpe:2.3:a:roundcube:webmail:0.2.1:*:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.2 Update Beta
cpe:2.3:a:roundcube:webmail:0.2:beta:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.3
cpe:2.3:a:roundcube:webmail:0.3:*:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.3 Update Beta
cpe:2.3:a:roundcube:webmail:0.3:beta:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.3 Update RC1
cpe:2.3:a:roundcube:webmail:0.3:rc1:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.4.1
cpe:2.3:a:roundcube:webmail:0.4.1:*:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.4.2
cpe:2.3:a:roundcube:webmail:0.4.2:*:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.4 Update Beta
cpe:2.3:a:roundcube:webmail:0.4:beta:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.4
cpe:2.3:a:roundcube:webmail:0.4:*:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.3.1
cpe:2.3:a:roundcube:webmail:0.3.1:*:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.5 Update Beta
cpe:2.3:a:roundcube:webmail:0.5:beta:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.5 Update RC
cpe:2.3:a:roundcube:webmail:0.5:rc:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.5
cpe:2.3:a:roundcube:webmail:0.5:*:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.5.2
cpe:2.3:a:roundcube:webmail:0.5.2:*:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.5.1
cpe:2.3:a:roundcube:webmail:0.5.1:*:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8
Roundcube » Webmail » Version: 0.5.3
cpe:2.3:a:roundcube:webmail:0.5.3:*:*:*:*:*:*:*
Matching versions
When used together with: PHP » PHP » Version: 5.3.7
When used together with: PHP » PHP » Version: 5.3.8

Exploit prediction scoring system (EPSS) score for CVE-2011-4078

EPSS FAQ

0.86%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 73 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2011-4078

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2011-4078

CWE-399

Assigned by: nvd@nist.gov (Primary)

References for CVE-2011-4078

http://trac.roundcube.net/ticket/1488086

RC can be DoS'ed by sending specific email · Issue #3505 · roundcube/roundcubemail · GitHub
Patch
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041

CVEs referencing this url
http://openwall.com/lists/oss-security/2011/10/26/6

oss-security - Re: CVE Request -- Round Cube Webmail -- DoS (unavailability to access user's INBOX) after receiving an email message with the URL in the Subject
Patch
http://www.securityfocus.com/bid/50402

RoundCube Webmail Denial of Service Vulnerability
https://exchange.xforce.ibmcloud.com/vulnerabilities/71025

RoundCube Webmail URI denial of service CVE-2011-4078 Vulnerability Report

Jump to

Vulnerability Details : CVE-2011-4078

Products affected by CVE-2011-4078

Exploit prediction scoring system (EPSS) score for CVE-2011-4078

CVSS scores for CVE-2011-4078

CWE ids for CVE-2011-4078

References for CVE-2011-4078