[imp] security issue
Chuck Hagenbuch
chuck at horde.org
Fri Feb 13 08:31:00 PST 2004
Quoting Dan Williamson <dwilliamson at uesiglo21.edu.ar>:
> How are people solving the issue of being able to read arbitrary
> files on the host system?
>
> For instance,
>
https://webmail.yoursite.org/horde/imp/mailbox.php?mailbox=../../../../../../../etc/passwd
This has nothing to do with IMP - you're using UW Imapd, and it will provide
those files to any IMAP client. If you don't want that to happen, use a
different IMAP server or lock yours down differently.
> The use of
> https://webmail.yoursite.org/horde/admin/css/index.php?file=arbitrary_path_and_file
>
> will provide the same without a valid login.
The css editor was removed for this and other reasons several releases ago.
Delete it.
-chuck
--
"Here, I brought some cole slaw. It's made from peeeooople! Just kidding."
More information about the imp
mailing list