Poste.io logs leak

Hello i would like to report a security misconfiguration in poste.io default installation that leads to user email and ip disclosure. In environment with extended logging enable it might leak other error log files.

Problem description:

By default roundcube store the logs in /logs/ folder, this folder is protected via .htaccess file. On nginx (default web server for poste.io) the .htaccess file is ignored, therefore the logs files inside /logs directory are accessible to anyone.

PoC:

Login on https://demo.poste.io/webmail/ with valid user account ie. foo@poste.io:foo
Send and email
Access https://demo.poste.io/webmail/logs/sendmail
Decode base64 payload

WzI0LUp1bi0yMDE5IDEwOjU4OjE3ICswMjAwXTogPGVqZmF0aWxqPiBVc2VyIGZvb0Bwb3N0ZS5pbyBbMTcyLjE4LjAuMTFdOyBNZXNzYWdlIGZvciBmb29AcG9zdGUuaW87IDI1MDogTWVzc2FnZSBRdWV1ZWQgKDA3NTM2QThGLUU1OTItNEY5OS04ODFBLTlEMEYzODI2MDcxOC4xKQo=
>
[24-Jun-2019 10:58:17 +0200]: <ejfatilj> User foo@poste.io [172.18.0.11]; Message for foo@poste.io; 250: Message Queued (07536A8F-E592-4F99-881A-9D0F38260718.1)

‌

Fix:
Implement the nginx rules to deny the access to logs folder/ Move the logs outside the webroot directory.

Comments (3)