Roundcube is a web-based IMAP email client. Roundcube's most prominent feature is the pervasive use of Ajax technology. Roundcube is free and open-source software subject to the terms of the GNU General Public License (GPL-3.0-or-later), with exceptions for skins and plugins.[3]
In 2023, a pro-Russia hacking group Winter Vivern[7] exploited a zero-day vulnerability in RoundCube to attack European government entities and a think tank, as reported by researchers from ESET.[8] This vulnerability was essentially a cross-site scripting error, and it was used to inject JavaScript into the Roundcube server application. Simply viewing a malicious email was sufficient to allow the attackers to run arbitrary JavaScript code in the Roundcube user's browser window, allowing them to access folders and emails in that user's account and send those emails to the attackers' servers.[9]
As of late 2023, the most recent eight releases (1.6.5, 1.5.6, 1.6.4, 1.5.5, 1.4.15, 1.5.4, 1.4.14 and 1.6.3) all contained XSS-related fixes.[10]
Roundcube is written in PHP and can be employed in conjunction with a LAMP stack, or any other operating systems that support PHP are supported as well. The web server needs access to the IMAP server hosting the email and to an SMTP server to be able to send messages.
Roundcube Webmail is designed to run on standard web servers such as Apache, LiteSpeed, Nginx, Lighttpd, HiawathaorCherokee in conjunction with a relational database engine. Supported databases are MySQL, PostgreSQL and SQLite. The user interface is rendered in XHTML and CSS and is fully customizable with skins.
Roundcube incorporates jQuery as part of its distribution, as well as other libraries such as GoogieSpell and TinyMCE.
Roundcube comes included with CPanel as of early 2008.
Starting with version 0.3, Roundcube introduced a plug-inAPI which allows non-standard features to be added without the need to modify the source code. A variety of plug-ins are available from the Plugin Repository.
On 3 May 2015, Roundcube announced, in partnership with Kolab Systems AG, that they planned to completely rewrite Roundcube and create Roundcube Next. A crowdfunding campaign was set up to finance the project. The goal of $80,000 was reached on June 24.[11] The final amount raised was US$103,541.[12]
Roundcube Next was intended to include additional features like calendar, chat and file management. This was to be implemented using WebRTC and connectors from popular services like Dropbox and OwnCloud.
However, Kolab Systems and Roundcube stopped development on the project in 2016, with no information or refunds provided to project backers, leading to a failed crowdfund.[13] A Roundcube developer later claimed Roundcube had no ownership over the Roundcube Next campaign,[14] despite its public engagement and ownership on the crowdfund page.
In a 2009 interview, two of Roundcube's core developers noted that the largest deployment to that date that they were aware of was at the University of Michigan with 70,013 students.[30] Roundcube is also used in the Kolab Now service which supports its further development.
CPanel includes Roundcube, as a result of which many hosting companies around the world such as HostGator,[31]Media Temple, Gandi, OVH[32] and others use RoundCube. Roundcube Webmail IMAP client was also incorporated into epesiBIM (epesi Business Information Manager), a web-based, open source CRM-like application.
Apple's Mac OS X 10.7 Lion Server operating system provided Roundcube as the default webmail client in Mail Server.[33] In prior versions, SquirrelMail had been the default client.
In 2013, Iran's Ministry of ICT launched the national email service at mail.post.ir which used Roundcube.[34]Synology Inc.'s DiskStation Manager (DSM) uses Roundcube for their Mail Station package.
[35]
^Subhashis Banerjee (2011-09-04). "Roundcube webmail". www.cc.iitd.ernet.in/CSC/. Computer Services Centre, IIT Delhi. Archived from the original on 2021-03-05. Retrieved 2014-02-05.