A bypass was found for "CVE-2020-12641: Command Injection via "_im_convert_path" in Roundcube Webmail" affecting versions before 1.4.5, 1.3.12.
The php “escapeshellcmd” function, implemented to prevent “CVE-2020-12641: Command Injection via “_im_convert_path” Parameter”, performs insufficient sanitization and therefore this “filter” can be bypassed by using:
- Command specific flags (both Linux and Windows environments)
- Remote SMB paths (only in Windows environments)
A successful attack results in the execution of arbitrary system commands whenever a valid Roundcube user opens a mail containing a non-standard image.
The vendor's disclosure and fix for this vulnerability can be found here.
This bypass was included as a "better fix for CVE-2020-12641" and was not given a separete CVE-ID.
This vulnerability requires:
- Access to the Roundcube Webmail installer component
- Waiting for a Roundcube user to open an email containg a non-standard image
More details and the exploitation process can be found in this PDF.
Initial vulnerability (CVE-2020-12641) and GitHub disclosure