The RoundCube project has recently discovered a file disclosure vulnerability in Roundcube Webmail.
Apparently this zero-day exploit is already being used by hackers to read Roundcube’s configuration files. It requires a valid username/password as the exploit only works with a valid session. More details will be published soon under CVE-2017-16651. RoundCube versions 1.1.x are affected by this vulnerability. However, versions 1.0.x, that are not affected by it, have been patched with the same fix as well.
We advise you to check your Roundcube installation to see if it has been compromised. Please check the Apache access logs (installdir/apache2/logs/access_log) for requests like:
?_task=settings&_action=upload-display&_from=timezone
More information about this vulnerability can be found in the official announcement.
For new application deployments, including the Bitnami Launchpad, we have released Roundcube 1.3.3 installers, virtual machines and cloud images that include the security fixes to address this vulnerability. Users launching Bitnami Roundcube via a cloud marketplace are advised to select version 1.3.3, once it is published.
If you have further questions about this security issue or about Bitnami Roundcube, please post to our community forum. Our support team will be happy to help you there!