Bug#198560: uw-imapd: uw-imapd operates on any file in the filesytem, not just mailboxes
Package: uw-imapd
Version: 4:2001adebian-6
Severity: grave
Tags: security, woody
uw-imapd and uw-imapd-ssl are insecure by default. They allow a logged in
user to retrieve or manipulate any file on the filesystem. This was
discovered as a squirrelmail bug, but is actually a UW-IMAP bug. The
exploits do not work on other IMAP servers.
Note: This is only relevant on systems where users are not supposed to have
shell access (ie email-only users). Other users would be able to access
these files anyway.
More information is here:
http://www.securityfocus.com/bid/7952/exploit/
See this Squirrelmail-devel thread:
http://sourceforge.net/mailarchive/forum.php?thread_id=2641998&forum_id=7139
The UW-IMAP FAQ says that this is a known issue and reccomends a
compile-time option to env_unix.c, setting "restrictBox" to prevent allowing
users to access / and .. :
http://www.washington.edu/imap/IMAP-FAQs/index.html#5.1
Please change this option for uw-imapd and uw-imapd-ssl.
Thank you,
-Chris
Reply to: