SquirrelMail

Tracker: Bugs

5 Possibilty to get system configuration files - ID: 1557078

Last Update: Comment added ( tokul )

Details:

SM ver. 1.4.4

There is possibility to watch any file with http user
rights. for Example:

https://mail_host/src/right_main.php?
PG_SHOWALL=0&sort=0&startMessage=1&mailbox=../../../etc
/some_file

Submitted:

Nobody/Anonymous ( nobody ) - 2006-09-12 12:01

Priority:

Status:

Closed

Resolution:

Fixed

Assigned:

Tomas Kuliavas

Category:

Message Display

Group:

None

Visibility:

Public

Comments ( 3 )

Date: 2006-09-30 07:39 Sender: tokul Logged In: YES user_id=225877 Fixed in 1.5.2cvs and 1.4.9cvs. sqimap_mailbox_select() function blocks all mailboxes that start with / or contain ../. $imap_server_type variable is not checked for 'uw'.
Date: 2006-09-29 18:47 Sender: tokul Logged In: YES user_id=225877 Correct fix is to turn on chroot in UW. You can use other SquirrelMail scripts to do same thing.
Date: 2006-09-12 12:13 Sender: tokul Logged In: YES user_id=225877 This feature is provided by your imap server. Set imap_server_type to 'uw' or check uw IMAP configuration options.

Attached File

Changes ( 4 )

Field	Old Value	Date	By
status_id	Open	2006-09-30 07:39	tokul
resolution_id	None	2006-09-30 07:39	tokul
close_date	-	2006-09-30 07:39	tokul
assigned_to	nobody	2006-09-29 17:59	tokul

SquirrelMail

Tracker: Bugs

Comments ( 3 )

Attached File

No Files Currently Attached

Changes ( 4 )

About SourceForge

Find Software

Develop Software

Community

Help