Fortinet Discovers Roundcube Webmail Brute Force Vulnerability
Fortinet's FortiGuard Labs has discovered a brute-force vulnerability in Roundcube webmail.
Roundcube is a free and open source webmail solution with a desktop-like user interface which is easy to install/configure and it runs on a standard LAMPP server.
The vulnerability exists due to insufficient anti-brute-force protection. It can be exploited to gain users' Roundcube credentials.
SolutionsFortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:
Released Jan 04, 2016
Users should apply the solution provided by Roundcube.
The vulnerability was fixed in Roundcube webmail version 1.1.4.