Protects against roundcube mail() vulnerability

author Silvio Rhatto <rhatto@riseup.net>

Wed, 7 Dec 2016 12:18:06 +0000 (10:18 -0200)

committer Silvio Rhatto <rhatto@riseup.net>

Wed, 7 Dec 2016 12:18:06 +0000 (10:18 -0200)
author Silvio Rhatto <rhatto@riseup.net>
Wed, 7 Dec 2016 12:18:06 +0000 (10:18 -0200)
committer Silvio Rhatto <rhatto@riseup.net>
Wed, 7 Dec 2016 12:18:06 +0000 (10:18 -0200)
diff --git a/templates/virtual/roundcube/config.inc.php.erb b/templates/virtual/roundcube/config.inc.php.erb

index fa4ed4108c03e2dd7850e4af7c4789de504b9e9d..3205d70c861c390dc3b7f4198313cd07a62e87a2 100644 (file)
--- a/templates/virtual/roundcube/config.inc.php.erb
+++ b/templates/virtual/roundcube/config.inc.php.erb
@@ -44,7 +44,8 @@ $config['default_host'] = 'localhost';
  // %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
  // %z - IMAP domain (IMAP hostname without the first part)
  // For example %n = mail.domain.tld, %t = domain.tld
-$config['smtp_server'] = '';
+// See https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
+$config['smtp_server'] = 'localhost';
  
  // SMTP port (default is 25; use 587 for STARTTLS or 465 for the
  // deprecated SSL over SMTP (aka SMTPS))
author	Silvio Rhatto <rhatto@riseup.net>
	Wed, 7 Dec 2016 12:18:06 +0000 (10:18 -0200)
committer	Silvio Rhatto <rhatto@riseup.net>
	Wed, 7 Dec 2016 12:18:06 +0000 (10:18 -0200)