[imp] BUG?

Steven Stern sds-email-list at mindspring.com
Sun Jan 11 09:07:27 PST 2004


On Sun, 11 Jan 2004 17:38:38 +0100, Albert <albert at mentes.org> wrote:

>At 17:09 11/01/2004, you wrote:
>>On Sat, 10 Jan 2004 22:48:22 -0500, Chuck Hagenbuch <chuck at horde.org> wrote:
>>
>> >mailbox.php?mailbox=/etc/passwd
>>
>>Argh.  That happens on my box, too, using the default Fedora IMAP server. How
>>should I lock it down to prevent it?
>
>Hello,
>If you use Apache, You can use the mod_security:
>
>http://www.modsecurity.org/
>
>In the mod_security section in my httpd.conf I prevent it at this way:
>
>SecFilter mailbox=/ "redirect:https://webmail.host.org"
>
>P.D. You must make more filters to prevent path traversal..etc...etc.... ;)
>
>Regards,
>Albert


Wouldn't it make more sense to patch mailbox.php to prevent opening a mailbox
that's not on the folders list?  I don't know PHP... anyone up to the task?


More information about the imp mailing list