Merge pull request hestiacp#651 from cmstew/roundcube-security-fix

ScIT-Raphael · web-flow · commit 6e2c80723a70 · 2019-12-17T08:14:53.000+01:00
Fixed a security issue with roundcube.
diff --git a/install/deb/roundcube/main.inc.php b/install/deb/roundcube/main.inc.php
@@ -266,7 +266,7 @@
 // this key is used to encrypt the users imap password which is stored
 // in the session record (and the client cookie if remember password is enabled).
 // please provide a string of exactly 24 chars.
-$rcmail_config['des_key'] = 'vtIOjLZo9kffJoqzpSbm5r1r';
+$rcmail_config['des_key'] = '%des_key%';
 
 // Automatically add this domain to user names for login
 // Only for IMAP servers that require full e-mail addresses for login
diff --git a/install/hst-install-debian.sh b/install/hst-install-debian.sh
@@ -1538,10 +1538,12 @@ if [ "$dovecot" = 'yes' ] && [ "$exim" = 'yes' ] && [ "$mysql" = 'yes' ]; then
     chown www-data:adm /var/log/roundcube/errors
 
     r="$(gen_pass)"
+    rcDesKey="$(openssl rand -base64 30 | tr -d "/" | cut -c1-24)"
     mysql -e "CREATE DATABASE roundcube"
     mysql -e "GRANT ALL ON roundcube.*
         TO roundcube@localhost IDENTIFIED BY '$r'"
     sed -i "s/%password%/$r/g" /etc/roundcube/debian-db-roundcube.php
+    sed -i "s/%des_key%/$rcDesKey/g" /etc/roundcube/config.inc.php
     sed -i "s/localhost/$servername/g" /etc/roundcube/plugins/password/config.inc.php
     mysql roundcube < /usr/share/dbconfig-common/data/roundcube/install/mysql
 
diff --git a/install/hst-install-ubuntu.sh b/install/hst-install-ubuntu.sh
@@ -1487,10 +1487,12 @@ if [ "$dovecot" = 'yes' ] && [ "$exim" = 'yes' ] && [ "$mysql" = 'yes' ]; then
     chown www-data:adm /var/log/roundcube/errors
 
     r="$(gen_pass)"
+    rcDesKey="$(openssl rand -base64 30 | tr -d "/" | cut -c1-24)"
     mysql -e "CREATE DATABASE roundcube"
     mysql -e "GRANT ALL ON roundcube.*
         TO roundcube@localhost IDENTIFIED BY '$r'"
     sed -i "s/%password%/$r/g" /etc/roundcube/debian-db-roundcube.php
+    sed -i "s/%des_key%/$rcDesKey/g" /etc/roundcube/config.inc.php
     sed -i "s/localhost/$servername/g" /etc/roundcube/plugins/password/config.inc.php
     mysql roundcube < /usr/share/dbconfig-common/data/roundcube/install/mysql
 
diff --git a/install/upgrade/versions/latest.sh b/install/upgrade/versions/latest.sh
@@ -113,3 +113,9 @@ if [ -z "$GZIP_LVL_CHECK" ]; then
     echo "(*) Updating backup compression level variable..."
     $BIN/v-change-sys-config-value "BACKUP_GZIP" '9'
 fi
+
+# Randomize Rouncube des_key for better security
+if [ -f "/etc/roundcube/config.inc.php" ]; then
+    rcDesKey="$(openssl rand -base64 30 | tr -d "/" | cut -c1-24)"
+    sed -i "s/vtIOjLZo9kffJoqzpSbm5r1r/$rcDesKey/g" /etc/roundcube/config.inc.php
+fi
