[imp] security issue
Dan Williamson
dwilliamson at uesiglo21.edu.ar
Fri Feb 13 08:26:17 PST 2004
How are people solving the issue of being able to read arbitrary files on the host system?
For instance,
https://webmail.yoursite.org/horde/imp/mailbox.php?mailbox=../../../../../../../etc/passwd
or even
https://webmail.yoursite.org/horde/imp/mailbox.php?mailbox=/etc/passwd
will list the password file or any other file with either world read or logged-in user read priviledges.
The use of
https://webmail.yoursite.org/horde/admin/css/index.php?file=arbitrary_path_and_file
will provide the same without a valid login.
Anyone know the easiest way to avoid this behavior? Are there updates to apply?
thanks and please respond to: dwilliamson@<removespamtrap>uesiglo21.edu.ar
More information about the imp
mailing list