Home Explore Help
Sign In
yosoyhendrix
/
hestiacp
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge pull request #651 from cmstew/roundcube-security-fix

Fixed a security issue with roundcube.
Raphael Schneeberger 6 years ago
parent
93eb420152 32939e2114
commit
6e2c80723a
4 changed files with 11 additions and 1 deletions
Split View Show Diff Stats
  1. 1 1
      install/deb/roundcube/main.inc.php
  2. 2 0
      install/hst-install-debian.sh
  3. 2 0
      install/hst-install-ubuntu.sh
  4. 6 0
      install/upgrade/versions/latest.sh

+ 1 - 1
install/deb/roundcube/main.inc.php
View File 

@@ -266,7 +266,7 @@ $rcmail_config['x_frame_options'] = 'sameorigin';
 
 // this key is used to encrypt the users imap password which is stored
 
 // in the session record (and the client cookie if remember password is enabled).
 
 // please provide a string of exactly 24 chars.
 
-$rcmail_config['des_key'] = 'vtIOjLZo9kffJoqzpSbm5r1r';
 
+$rcmail_config['des_key'] = '%des_key%';
 
 
 // Automatically add this domain to user names for login
 
 // Only for IMAP servers that require full e-mail addresses for login

+ 2 - 0
install/hst-install-debian.sh
View File 

@@ -1538,10 +1538,12 @@ if [ "$dovecot" = 'yes' ] && [ "$exim" = 'yes' ] && [ "$mysql" = 'yes' ]; then
 
     chown www-data:adm /var/log/roundcube/errors
 
 
     r="$(gen_pass)"
 
+    rcDesKey="$(openssl rand -base64 30 | tr -d "/" | cut -c1-24)"
 
     mysql -e "CREATE DATABASE roundcube"
 
     mysql -e "GRANT ALL ON roundcube.*
 
         TO roundcube@localhost IDENTIFIED BY '$r'"
 
     sed -i "s/%password%/$r/g" /etc/roundcube/debian-db-roundcube.php
 
+    sed -i "s/%des_key%/$rcDesKey/g" /etc/roundcube/config.inc.php
 
     sed -i "s/localhost/$servername/g" /etc/roundcube/plugins/password/config.inc.php
 
     mysql roundcube < /usr/share/dbconfig-common/data/roundcube/install/mysql

+ 2 - 0
install/hst-install-ubuntu.sh
View File 

@@ -1487,10 +1487,12 @@ if [ "$dovecot" = 'yes' ] && [ "$exim" = 'yes' ] && [ "$mysql" = 'yes' ]; then
 
     chown www-data:adm /var/log/roundcube/errors
 
 
     r="$(gen_pass)"
 
+    rcDesKey="$(openssl rand -base64 30 | tr -d "/" | cut -c1-24)"
 
     mysql -e "CREATE DATABASE roundcube"
 
     mysql -e "GRANT ALL ON roundcube.*
 
         TO roundcube@localhost IDENTIFIED BY '$r'"
 
     sed -i "s/%password%/$r/g" /etc/roundcube/debian-db-roundcube.php
 
+    sed -i "s/%des_key%/$rcDesKey/g" /etc/roundcube/config.inc.php
 
     sed -i "s/localhost/$servername/g" /etc/roundcube/plugins/password/config.inc.php
 
     mysql roundcube < /usr/share/dbconfig-common/data/roundcube/install/mysql

+ 6 - 0
install/upgrade/versions/latest.sh
View File 

@@ -113,3 +113,9 @@ if [ -z "$GZIP_LVL_CHECK" ]; then
 
     echo "(*) Updating backup compression level variable..."
 
     $BIN/v-change-sys-config-value "BACKUP_GZIP" '9'
 
 fi
 
+
 
+# Randomize Rouncube des_key for better security
 
+if [ -f "/etc/roundcube/config.inc.php" ]; then
 
+    rcDesKey="$(openssl rand -base64 30 | tr -d "/" | cut -c1-24)"
 
+    sed -i "s/vtIOjLZo9kffJoqzpSbm5r1r/$rcDesKey/g" /etc/roundcube/config.inc.php
 
+fi