Bug#301561: Should we just remove openwebmail?
retitle 301561 "RM: openwebmail -- RoQA; RC bugs, vulnerable code"
reassign 301561 ftp.debian.org
On Fri, Apr 29, 2005 at 12:07:06PM +0200, Matej Vela wrote:
> On Thu, Apr 28, 2005 at 11:20:22PM +1000, Andrew Pollock wrote:
> > openwebmail is orphaned, but has only been so for 32 days.
> > That said, it's got security issues, and hasn't been part of a stable
> > release.
> > So I'm personally inclined not to let it linger for a while on the grounds
> > that it's got security issues, and just get it the hell out of the archive.
> > It's not like Debian's short of webmail packages.
> > That said, a non-DD has prepared an updated package as of a week ago, but no
> > one has sponsored it yet.
> > Just wondering what peoples' thoughts are?
> I took a look at the current upstream version (2.51).
> * cgi-bin/openwebmail/modules/tool.pl: Upstream no longer uses completely
> predictable temporary filenames, but the race condition between checking
> whether a file exists and actually opening it is still there.
> * cgi-bin/openwebmail/openwebmail-abook.pl: The user can execute arbitrary
> commands by passing "file=; ... |" to addrviewatt().
> * cgi-bin/openwebmail/openwebmail-folder.pl: The user can execute arbitrary
> commands by passing "folder=; ... |" to downloadfolder().
> * cgi-bin/openwebmail/openwebmail-webdisk.pl: If the user has FTP access
> and uploads a file named "; ... |", editfile() and downloadfile() will
> execute the command.
> * cgi-bin/openwebmail/openwebmail-webdisk.pl: The user can execute
> arbitrary commands by uploading a URL in the form "http://foo/; ...".
> I stopped looking at this point. The code is rife with vulnerabilities, and
> needs to be audited line by line; I'm not sure this is likely anytime soon.
> I think we should remove it. (It can always be added back if it's fixed.)
That's good enough reason for me.