CVE-2015-8770

HIGH

Roundcube Webmail < 1.0.8 and 1.1.x < 1.1.4 - Authenticated Path Traversal via _skin Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-8770. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The advisory describes a path traversal vulnerability in Roundcube 1.1.3, allowing authenticated attackers to load arbitrary skins via the '_skin' parameter, potentially leading to information disclosure or RCE if 'skin_include_php' is enabled. The provided HTML form demonstrates the exploit mechanism.

Description

Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php.

Exploits (1)

exploitdb WRITEUP

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/39245

View Code ZIP pw:eip

The advisory describes a path traversal vulnerability in Roundcube 1.1.3, allowing authenticated attackers to load arbitrary skins via the '_skin' parameter, potentially leading to information disclosure or RCE if 'skin_include_php' is enabled. The provided HTML form demonstrates the exploit mechanism.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Roundcube 1.1.3 and prior

Auth required

Prerequisites: Valid Roundcube credentials · Ability to create files on the server

MITRE ATT&CK