Ineffective .htaccess Protection in Roundcube Component of Analogic Poste.io 2.1.6 Allows Unauthorized Access to Logs

Ineffective .htaccess Protection in Roundcube Component of Analogic Poste.io 2.1.6 Allows Unauthorized Access to Logs

CVE-2019-12938 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:N/A:N

The Roundcube component of Analogic Poste.io 2.1.6 uses .htaccess to protect the logs/ folder, which is effective with the Apache HTTP Server but is ineffective with nginx. Attackers can read logs via the webmail/logs/sendmail URI.

Learn more about our Cis Benchmark Audit For Apache Http Server.