Page 1 of 2

VestaCP + Exim + php mail function security issue?

Posted: Fri Nov 20, 2015 6:37 am
by securetunnel
VestaCP seems to install the mail system with an implicit "trust" of localhost. The php mail() function will use localhost (as will roundcube then by default) and this doesn't require authentication of a local user to send mail.

The issue with this, is that if you are hosting a website on the same installation, and that website gets hacked with a php shell or other (happens to wordpress, joomla, drupal all the time) then that exploit can turn your vestaCP installation into a spam generator as your hacked site can make use of the php mail() function and send mail at will without authentication.

We got around this by requiring auth to smtp (exim) through the whole system:

1) Point /usr/sbin/sendmail to /dev/null
2) Configure /etc/roundcubemail/main.inc.php --> SMTP section, to use localhost, port (25 or 587), and the %u/%p values for username and password so that your authenticated user to webmail (roundcube) is actually authenticating to SMTP locally even when using webmail.

We had several instances of hacked websites that were able to make use of the default 'localhost-can-send-without-auth' configuration.

Suggest in future releases of VestaCP that exim/sendmail be COMPLETELY locked down so that even sending from LOCALHOST requires auth.

Re: VestaCP + Exim + php mail function security issue?

Posted: Fri Nov 20, 2015 5:50 pm
by abad
I don't think that any other panels restrict that, since it makes it much less user friendly.

Re: VestaCP + Exim + php mail function security issue?

Posted: Sat Nov 21, 2015 11:02 am
by AdamiPL
abad wrote:I don't think that any other panels restrict that, since it makes it much less user friendly.
this must be safe, not user friendly

Re: VestaCP + Exim + php mail function security issue?

Posted: Sat Apr 09, 2016 3:01 am
by Vladimir Chanaev
Confirm.
My Vesta with some Joomla sites were affected by this problem. Huge CPU and bandwidth loads. Spamassassin and clamav deamons falls down after 5-10 minutes.
Thanks for advices.

Re: VestaCP + Exim + php mail function security issue?

Posted: Sun Apr 10, 2016 4:49 am
by Vladimir Chanaev

Code: Select all

1)  /usr/sbin/sendmail -v -d < /dev/null

Code: Select all

2)  nano /etc/roundcube/main.inc.php

$rcmail_config['smtp_server'] = 'localhost';
$rcmail_config['smtp_user'] = '%u';
$rcmail_config['smtp_pass'] = '%p';
Correct? Plz confirm. Thanks!

Re: VestaCP + Exim + php mail function security issue?

Posted: Sun Apr 10, 2016 8:08 pm
by alexare
Vladimir Chanaev wrote:Confirm.
My Vesta with some Joomla sites were affected by this problem. Huge CPU and bandwidth loads. Spamassassin and clamav deamons falls down after 5-10 minutes.
Thanks for advices.
I was the same issue also - spamassassin fails after 5-10 minutes; and the bug came from a wordpress site installed on my server

Re: VestaCP + Exim + php mail function security issue?

Posted: Mon Apr 11, 2016 2:29 pm
by alexare
Vladimir Chanaev wrote:

Code: Select all

1)  /usr/sbin/sendmail -v -d < /dev/null

Code: Select all

2)  nano /etc/roundcube/main.inc.php

$rcmail_config['smtp_server'] = 'localhost';
$rcmail_config['smtp_user'] = '%u';
$rcmail_config['smtp_pass'] = '%p';
Correct? Plz confirm. Thanks!
This didnt work for me; i am running a Centos 6.7
nano /etc/roundcubemail/main.inc.php worked

but cant point to /dev/null

Re: VestaCP + Exim + php mail function security issue?

Posted: Fri Apr 15, 2016 4:23 am
by Vladimir Chanaev
alexare wrote:
Vladimir Chanaev wrote: but cant point to /dev/null
Image

Click EDIT on your Mail Account in MAIL section of Vesta CP and edit Catchall email: /dev/null
I think its the same but not sure.

Re: VestaCP + Exim + php mail function security issue?

Posted: Sat Jul 23, 2016 4:05 pm
by a1war
I don't have any /etc/roundcube/main.inc.php

Those are the files that I have in /etc/roundcube/ dir:

apache.conf debian-db.php lighttpd.conf
config.inc.php defaults.inc.php mimetypes.php
debian-db-roundcube.php htaccess plugins/

Which one I should update?

Re: VestaCP + Exim + php mail function security issue?

Posted: Sat Oct 15, 2016 4:56 am
by auraputih
Method for PHP5.5 and before
We have to edit sendmail_path in php.ini

Code: Select all

1. nano /etc/php5/apache2/php.ini
2. Edit line sendmail_path = and change into sendmail_path = "/dev/null"
3. Save 
Method for PHP5.6 and after
The newest php version installed on server does not allow global settings (such as execution time, max upload filesize, max post file size, etc.) to be changed.

Folow these steps to resolve the issue:

Code: Select all

1. nano /etc/php5/apache2/conf.d/user.ini
2. Add sendmail_path = "/dev/null" line inside /etc/php5/apache2/conf.d/user.ini 
3. Save
4. Use this ini file for any custom settings. 
Edit Roundcube configuration
After you have changed the setting in php, you have to change the setting in roundcube

Code: Select all

nano /etc/roundcube/main.inc.php

$rcmail_config['smtp_server'] = 'localhost';
$rcmail_config['smtp_user'] = '%u';
$rcmail_config['smtp_pass'] = '%p';
*Location for Centos php.ini is at /etc/php.ini