Zero-Day Advisory
Fortinet Discovers Roundcube Webmail Brute Force Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered a brute-force vulnerability in Roundcube webmail.
Roundcube is a free and open source webmail solution with a desktop-like user interface which is easy to install/configure and it runs on a standard LAMPP server.
The vulnerability exists due to insufficient anti-brute-force protection. It can be exploited to gain users' Roundcube credentials.
Solutions
FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:Roundcube.Webmail.Brute.Force
Released Jan 04, 2016
Users should apply the solution provided by Roundcube.
Additional Information
The vulnerability was fixed in Roundcube webmail version 1.1.4.
Acknowledgement
This vulnerability was discovered by Zhouyuan Yang of Fortinet's FortiGuard Labs.