[Security] Rainloop suffers a security bug

It seems Rainloop suffers a non fixed security issue.

The version we have is the latest and is affected: Shipped version: 1.16.0~ynh3

The only advise is to migrate from Rainloop to SnappyMail… https://snappymail.eu/
I open the this topic to discuss what would be best, as I assume that many instances are using Rainloop as their main webmail.


“When the email is viewed by the victim, the attacker gains full control over the session of the victim and can steal any of their emails, including those that contain highly sensitive information such as passwords, documents, and password reset links.”

So never open an email from unknown sender.
Limiting access for visitors, but the yunohost instance uses the same password as the mail, so if the hacker can get the password of the mailbox, the hole instance is compromised.

1 Like

I’m pinning this thread at the top of the forum. Thanks for the notice!

Our serial-packager eric is already working on packaging SnappyMail : YunoHost-Apps/snappymail_ynh: SnappyMail package for YunoHost (github.com).

If RainLoop remains unmaintained upstream, we will most likely flag it as dangerous in the catalog. This depends on a yet-to-be coded feature, cf. Anti-features draft by Tagadda · Pull Request #1312 · YunoHost/apps (github.com), Add Anti-Features in READMEs by Tagadda · Pull Request #1338 · YunoHost/apps (github.com), and future improvement of the catalog to show such anti-features.


So another workaround in the mid-time is not to use Rainloop and redirect all emails to another email address.

In fact, I have it installed but rarely use it since I’m using k9mail and thunderbird.

Rainloop has been removed from the awesome selfhosted list

It has also been removed from other projects.

For people looking for another webmail app there is also Roundcube.

Thank you Eric!


A sad news…!
So, the best option now is to uninstall Rainloop ?

About Roundcube, I remember it was really heavy to load on a Raspberry Pi, a long time ago… that’s why I love Rainloop, it’s faster, and it’s less a gas factory :smiley:

Yep, we should uninstall Rainloop. Soon, we might have the possibility to switch to snappymail.

If the information listed above is correct, then it only happens when opening an email. Hence just not using it would not expose to that security flaw.
Also if you want to uninstall it, one option is to make a backup and keep it until the fix is available.

1 Like

In the github issue I shared above, it is said

I will also remove rainloop which has not seen a commit since May 2021 and seems to have unaddressed security issues

In the rainloop repository, there is a long list of issues without response.
What’s weird is that the team maintaining it didn’t respond to “Simon Scannell (Vulnerability Researcher)” when contacted.

I already removed it and replaced it with roundcube for now.

1 Like


Sonar has created a patch in their post (screenshot bellow) on how to fix this and it would be a great idea to apply it in our app in the mean time to fix this issue.

I’ve tried looking at the app quickly but couldn’t find a way to create this patch easily and I can’t work on it right now so if someone can do it instead it would be great.

1 Like

Nice find! I am trying to work on it.

Super, thank you @tituspijean . I think we would just need to apply the patch with someting like patch rainloop/v/1.13.0/app/libraries/MailSo/Base/HtmlUtils.php < rainloop_xss.patch in install&upgrade. And to provide the patch in our package.

Yup that’s what I’m doing. I only need a bit of time because I’m not used to the diff format. :sweat_smile:

I tried to apply the patch but I get this error:

patch: **** malformed patch at line 12: @@ -250,7 +251,7 @@

:warning: Patch in testing: Fix CVE-2022-29360 by tituspijean · Pull Request #89 · YunoHost-Apps/rainloop_ynh · GitHub


J’ai refais le patch avec diff mais pas mieux, j’ai toujours des erreurs.
Je soupçonne que ce soit lié aux lignes vides, mais vu le peu de chose à changer, j’ai pas creusé plus que ça pourquoi ça échoue. Du coup J’ai modifié manuellement le fichier en attendant de passer sur une application alternative.

Bonjour !

J’ai installé SnappyMail pour ne plus être exposé à cette faille.
Tout fonctionne très bien, seulement quelqu’un saurait-il me dire dans quel fichier faut-il modifier la variable upload_max_filesize pour espérer pouvoir uploader plus de 2 Mo ? :laughing: