[horde] HELP!! disclosure of files that contains sensitive
data
Jan Schneider
jan at horde.org
Tue May 25 09:42:55 PDT 2004
Zitat von sandra hernandez <sandra at fib.upc.es>:
> I recently discover a problem with our horde/imp implementation.
> Anyone can disclosure any file that have read permissions for
> user-www/other with horde/imp applications.The person who wants to
> access only have to login in imp, and then change the URL to something
> like this:
>
> https://machine/horde/imp/mailbox.php?mailbox=/etc/passwd&actionID=000&Horde=xxxxxx
> (where xxxxxx is session identifier)
>
> This bug had been reported on Jul 13, 2001 as you can see in
> http://www.securityfocus.com/bid/3067/info
This bug is completely crap as this is *not* an IMP issue, but a
misconfigured IMAP server. This can be exposed by *any* IMAP client
accessing this server.
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting.php
More information about the horde
mailing list