issues on Roundcube 1.4

[glraj70]

Hello,

I will repost as single issues

Regards,
Rajesh G L

[alecpl]

I don't have time to process this now, but in a quick look the report looks quite useless. It describes some general rules mostly about session security and tokens, but does not describe real issues.

[johndoh]

@glraj70 publishing vulnerability reports in a public forum without first giving devs an opportunity to address those vulnerabilities is not very friendly, you risk handing information to bad actors putting your own installation and others at greater risk. Also as a general rule its best to limit tickets to single issues this makes for easier tracking and management.

In this case the report does not contain much in the way of any actual problems though. It lists 3 potential issues:

1. Session Hijacking - mitigations already exist for this, see Authentication Bypass via Improper Session Management #7576
2. Session token in URL - this is part of the CSRF and only used in situations where POST is not practical. IMO this is low risk but mitigations also already exist for this, look at the use_secure_urls config option
3. Parameter Tampering - I do not understand what issue is being described here

[glraj70]

Hi Johndoh,
Thanks for the reply .
Apologies for posting in public forum. In future i will post as single issues.
I will close this case.
Kindly delete the post from the forum.