Re: Should we just remove openwebmail?
On Thu, Apr 28, 2005 at 11:20:22PM +1000, Andrew Pollock wrote:
> openwebmail is orphaned, but has only been so for 32 days.
>
> That said, it's got security issues, and hasn't been part of a stable
> release.
>
> So I'm personally inclined not to let it linger for a while on the grounds
> that it's got security issues, and just get it the hell out of the archive.
> It's not like Debian's short of webmail packages.
>
> That said, a non-DD has prepared an updated package as of a week ago, but no
> one has sponsored it yet.
>
> Just wondering what peoples' thoughts are?
I took a look at the current upstream version (2.51).
* cgi-bin/openwebmail/modules/tool.pl: Upstream no longer uses completely
predictable temporary filenames, but the race condition between checking
whether a file exists and actually opening it is still there.
* cgi-bin/openwebmail/openwebmail-abook.pl: The user can execute arbitrary
commands by passing "file=; ... |" to addrviewatt().
* cgi-bin/openwebmail/openwebmail-folder.pl: The user can execute arbitrary
commands by passing "folder=; ... |" to downloadfolder().
* cgi-bin/openwebmail/openwebmail-webdisk.pl: If the user has FTP access
and uploads a file named "; ... |", editfile() and downloadfile() will
execute the command.
* cgi-bin/openwebmail/openwebmail-webdisk.pl: The user can execute
arbitrary commands by uploading a URL in the form "http://foo/; ...".
I stopped looking at this point. The code is rife with vulnerabilities, and
needs to be audited line by line; I'm not sure this is likely anytime soon.
I think we should remove it. (It can always be added back if it's fixed.)
Thanks,
Matej
Reply to: