Unpatched Bug in RainLoop Webmail Could Give Hackers Access to all Emails - Switch to SnappyMail

Seven · April 23, 2022, 2:07pm

Unpatched Bug in RainLoop Webmail Could Give Hackers Access to all Emails

A potential impact to /e/mail

An unpatched high-severity security flaw has been disclosed in the open-source RainLoop web-based email client that could be weaponized to siphon emails from victims’ inboxes.

SonarSource, in its disclosure timeline, said that it notified the maintainers of RainLoop of the bug on November 30, 2021, and that the software maker has failed to issue a fix for more than four months.

In the absence of patches, SonarSource is recommending users to migrate to a RainLoop fork called SnappyMail, which is actively maintained and unaffected by the security issue.

SnappyMail is a fork of the much appreciated RainLoop, but with massive changes…

https://snappymail.eu/

Installation instructions - To Include Migration from Rainloop

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online services phone

smu44 · April 23, 2022, 2:40pm

I’ll be curious to know if this could be avoid by some Nginx reverse proxy configuration ?

Seven · April 23, 2022, 6:26pm

I have no idea. Maybe you can reach out to Rainloop and see what they say. Think it would be worth a try?

Seven · April 23, 2022, 6:49pm

Other Possible Solutions.

A mail app for Nextcloud

RoundCube for Nextcloud

smu44 · April 24, 2022, 8:11am

Easiest solution : apply proposed patch from here : RainLoop Webmail - Emails at Risk due to Code Flaw

Done for my self-hosted, working fine
For the reference, file path on self-hosted is /mnt/repo-base/volumes/nextcloud/html/custom_apps/rainloop/app/rainloop/v/1.1?.0/app/libraries/MailSo/Base/HtmlUtils.php (1.15.0 for current, 1.16.0 for NC21).

Seven · April 24, 2022, 2:18pm

Sounds like the way to go. You should run this up with to the efoundation. It would be the easiest way to go. But is this a Short-term fix or Long-term solution?

Since Rainloop is the email solution for /e/Mail then it is worth a look. I am sure many users enjoy using e.email as a great email option.

Why do you think Rainloop is taking so long to address this?

smu44 · April 24, 2022, 4:23pm

It is a long-term run for me, as the patch completely resolves the problem.

At least, until Rainloop dev team came up with a heavy rewrite AND /e/ team decides to update their app.
This can take … some time! I’m not aware of Rainloop dev member activities, so for me it can’t be predictable.

I’ll try to use my patched self-hosted Rainloop for some days, then if OK I’ll open a Gitlab issue for /e/ dev to patch their servers.

Seven · April 24, 2022, 11:54pm

Sounds like a good first step to address the issue. I only asked about short-term because of the article you included. It seems to suggest the Rainloop dev team has made no official effort as of yet. And like you stated, it can take time. By both articles we posted, its been almost 6 months already. There needs to be a bit faster movement by devs to address end user concerns. I think why the articles suggest migrating to using SnappyMail for Long-Term use. Mail-in-a-box seems to fit the bill as well. Of course it would be far easier to just address the issue in Rainloop. I’m sure you can work some of your magic to fix this lol. I look forward to hearing how your testing goes.

smu44 · April 25, 2022, 5:51am

That’s what we call “open-source laws” : it’s free but there’s go guarantee, if you don’t agree you can do it yourself

So far testing is OK with regular emails, but I wasn’t aware to reproduce the PoC by sending a forged “evil email” …
Anyway, I’ll open a GitLab issue in days, as promised

Seven · April 25, 2022, 7:55am

@smu44 Good to hear. I hope it works out well and fixes the issue.Thanks for being on the ball. Many users will thank you for it. No question. This includes myself

In the end I am sure people just want a good, Long-term solution to the issue. Whatever that may look like.

I must admit that looking at Nextcloud mail, which uses mail-in-a-box mailservice looks like a great option as RoundCube is only a part of the package. Especially when looking at their security guide. Very nice over all.

github.com

mail-in-a-box/mailinabox/blob/main/security.md

Mail-in-a-Box Security Guide
============================

Mail-in-a-Box turns a fresh Ubuntu 18.04 LTS 64-bit machine into a mail server appliance by installing and configuring various components.

This page documents the security posture of Mail-in-a-Box. The term “box” is used below to mean a configured Mail-in-a-Box.

Reporting Security Vulnerabilities
----------------------------------

Security vulnerabilities should be reported to the [project's maintainer](https://joshdata.me) via email.

Threat Model
------------

Nothing is perfectly secure, and an adversary with sufficient resources can always penetrate a system.

The primary goal of Mail-in-a-Box is to make deploying a good mail server easy, so we balance ― as everyone does ― privacy and security concerns with the practicality of actually deploying the system. That means we make certain assumptions about adversaries. We assume that adversaries . . .

* Do not have physical access to the box (i.e., we do not aim to protect the box from physical access).

This file has been truncated. show original

It also looks like Snappymail is working on Next-cloud integration as well.

github.com/the-djmaze/snappymail

First-class support for Nextcloud

opened 10:55PM - 21 Jun 21 UTC

pemocarlo

enhancement help wanted

Firt of all, thank you for this rewrite of the Rainloop app, it is really needed…. After reading the documentation, I saw that you removed support for all 3rd party apps, to ensure GDPR compliance. But I wanted to know if you would be open to support Nextcloud - as an open source project where you are guaranteed to have control of your data, this should make sense. Thanks a lot for your consideration **Is your feature request related to a problem? Please describe.** I have been using Rainloop with Nextcloud. In my opinion, it is the best email option available. Nevertheless, the integration between the two is currently less than perfect. **Describe the solution you'd like** Have a better integration with Nextcloud **Describe alternatives you've considered** Modify the Rainloop app to improve this, but the code is a bit outdated. I would prefer to work with this fork :) **Additional context** There is currently a Rainloop app for Nextcloud: https://github.com/pierre-alain-b/rainloop-nextcloud Adding attachments from Nextcloud: https://github.com/RainLoop/rainloop-webmail/issues/2023

Interesting SnappyMail vs RainLoop
https://snappymail.eu/comparison.html

smu44 · April 26, 2022, 5:57am

I agree, some competitors may be better than Rainloop.

But I’m quite sure that /e/ dev team won’t have the resources to migrate from a customized Rainloop, so for now we can only patch it, and hope for another webmail app at a very-long-term

Seven · April 26, 2022, 6:45am

That is exactly how I see it. The patch that you mentioned serves the immediate situation without issue. This also gives time for /e/ dev to discuss options for the long-term without having to worry about the current issue as it already has a solution. Piece of mind and breathing room. I couldn’t agree more.

Seven · April 28, 2022, 1:31am

@smu44 So how is the testing coming alone? Any issues with implementing the patch?

smu44 · April 28, 2022, 6:21am

So far, no problem using the patch.
And it was very easy to put in place

Please allow me some days, when I’ll have enough free time I’ll create the issue in /e/ Gitlab.

Seven · May 3, 2022, 5:17pm

@smu44 Sounds good. I look forward to hearing about the patch’s performance. Thanks.

smu44 · May 4, 2022, 4:59am

Hi @Seven,

I found no problem nor performance issue using the patch
That was expected : it just replace a static tag with a random one (roughly, this tag helps the rendering engine to identify the HTML part of the message).

Expect the Gitlab issue to be created during newt week-end !

smu44 · May 8, 2022, 6:42am

Good news! The /e/ dev team already applied the patch : Fixing XSS bug by using what is recommended here... (ccb38182) · Commits · e / infra / selfhost / nextcloud-apps / Rainloop Nextcloud · GitLab

Seems like someone read the posts here

Anyway, thanks @seven for reporting & following, and thanks to /e/ dev team for the awesome job

Seven · May 8, 2022, 8:36am

Well that is indeed good news!

It sure does seem like someone was following the conversation.

I am happy to know that the /e/ dev team got right on top of this quickly! Thank you team!

And you are welcome @smu44. Being part of a small community means communicating any problems and sharing possible solutions. I was just trying to make this aware as this effected everyone who used /e/ services. Thank you for finding the patch itself and giving it a test go. Clearly you were trying to work your magic to put this solution into play. Very cool.

system · May 23, 2022, 2:07pm

This topic was automatically closed after 30 days. New replies are no longer allowed.