From: David R. <db...@gr...> - 2003-06-23 20:01:44
|
Seth Randall said: > With the right permissions you can delete any file the user has access to. > Or get a copy of passwd. If all I offer my users is email access, that > login is all a cracker would need to get my passwd file with a list of > everyone on my server. Although I think this is more of a IMAP server > issue than SquirrelMail, we might want to check for mailboxes with leading > /s or ../s That's not a bad idea, but is it possible? I guess you would have to get a list of valid mailboxes from the server and then validate the mailbox against that list... but would it break anything else? -Dave |