[horde] Solution:: HELP!! disclosure of files that contains
sensitive data
sandra hernandez
sandra at fib.upc.es
Wed May 26 08:43:33 PDT 2004
Hi,
Thanks Jan. You are rigth, is an IMAP issue..
Browsing UW-IMAP documentation I found this:
> Suppose you want to disable non-namespace access to the filesystem root and other users' names, but do not want to go to the extreme of chroot() and you want to allow access to a traditional UNIX format INBOX in the mail spool directory. You need to change variable restrictBox, changing the line which reads:
static short restrictBox = NIL; /* is a restricted box */
to be:
static short restrictBox = -1; /* is a restricted box */ <
I change this and the problem is corrected by now.
But, I have another question. How can anyone exploit this "bug" to move/execute files?
I know that anyone can display files, but It seems that anyone can also
move,delete,etc www's files without have accounts passwords.
Any help would be very apreciated,
Sandra
More information about the horde
mailing list