logs leak

Issue #665 resolved
Daniel Kalinowski created an issue

Hello i would like to report a security misconfiguration in default installation that leads to user email and ip disclosure. In environment with extended logging enable it might leak other error log files.

Problem description:

By default roundcube store the logs in /logs/ folder, this folder is protected via .htaccess file. On nginx (default web server for the .htaccess file is ignored, therefore the logs files inside /logs directory are accessible to anyone.


  1. Login on with valid user account ie.
  2. Send and email
  3. Access
  4. Decode base64 payload
[24-Jun-2019 10:58:17 +0200]: <ejfatilj> User []; Message for; 250: Message Queued (07536A8F-E592-4F99-881A-9D0F38260718.1)

Implement the nginx rules to deny the access to logs folder/ Move the logs outside the webroot directory.

Comments (3)

  1. Log in to comment