CVE-2019-12938

Vulnerability

The vulnerability exists in the Roundcube component of Analogic Poste.io version 2.1.6. The logs/ folder is protected using .htaccess, which is only effective when the web server is Apache HTTP Server. When nginx is used as the web server, .htaccess files are ignored, leaving the logs directory accessible. The affected URI is webmail/logs/sendmail. [1]

Exploitation

An attacker can access the logs by navigating to the webmail/logs/sendmail URI on a Poste.io instance running version 2.1.6 with nginx as the web server. No authentication is required, as the .htaccess protection is bypassed. The attacker simply needs network access to the webmail interface.

Impact

Successful exploitation allows an attacker to read the sendmail log files, which may contain sensitive information such as email addresses, message headers, or other data logged by the mail system. This leads to information disclosure.

Mitigation

The provided reference [1] does not explicitly mention a fix for this CVE. However, upgrading to a later version of Poste.io may address the issue, as the changelog indicates ongoing updates. Alternatively, administrators using nginx should implement proper access controls for the logs directory via nginx configuration, such as denying access to the /webmail/logs/ path. No workaround is provided in the available references.