[imp] security issue
test account
user1 at benmaytestbox.bsd.uchicago.edu
Fri Feb 13 08:39:40 PST 2004
I was not able to get your security hole to work??
Could you please explain how it works.
-Ian
Quoting Dan Williamson <dwilliamson at uesiglo21.edu.ar>:
>
>
> How are people solving the issue of being able to read arbitrary files on the
> host system?
>
> For instance,
>
>
https://webmail.yoursite.org/horde/imp/mailbox.php?mailbox=../../../../../../../etc/passwd
>
>
> or even
>
> https://webmail.yoursite.org/horde/imp/mailbox.php?mailbox=/etc/passwd
>
> will list the password file or any other file with either world read or
> logged-in user read priviledges.
>
> The use of
>
>
https://webmail.yoursite.org/horde/admin/css/index.php?file=arbitrary_path_and_file
>
> will provide the same without a valid login.
>
> Anyone know the easiest way to avoid this behavior? Are there updates to
> apply?
>
> thanks and please respond to: dwilliamson@<removespamtrap>uesiglo21.edu.ar
> --
> IMP mailing list - Join the hunt: http://horde.org/bounties/#imp
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
>
>
More information about the imp
mailing list