lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1671550353000.20030623152607@certiflexdimension.com>
Date: Mon, 23 Jun 2003 15:26:07 -0500
From: Jonathan Angliss <jon@...irrelmail.org>
To: bugtraq@...urityfocus.com
Subject: Invalid SquirrelMail Exploit


Hi,

I'm writing to correct a fatal reporting that was posted to one of the
security focus mailing lists about SquirrelMail.  It discusses files
being accessible via the SquirrelMail website, and criticizes
SquirrelMail to be at fault.  The details for the exploit can be seen
on the bugtraq website [1].

Fortunately it is an invalid accusation. Even minor exploration would
point the issue to the imap server itself. I'd like to draw peoples
attention to the University of Washington's IMAP FAQ page [1], it
clearly describes details on accessing /etc/passwd as detailed in the
bugtraq item that was submitted.

I'd be grateful if that portion of the ticket was revoked as invalid,
as any testing performed with other IMAP servers such as Courier-IMAP,
or Cyrus all return no mailboxes.

The file moving/deletion vulnerability would also appear to be an IMAP
dependant issue, as you cannot access arbitrary files from other IMAP
servers, as other IMAP servers don't appear to treat all files
equally.

I am currently looking into the privilege escalation 'issue' that was
also posted as part of the bug.

Please note in future that any security related issues can be posted
to any member of the SquirrelMail leadership team [2], or any of the
mailing lists.  We also have a dedicated mailing address for security
alerts at security@...irrelmail.org.

  [1] http://www.securityfocus.com/bid/7952
  [2] http://www.washington.edu/imap/IMAP-FAQs/index.html#5.1
  [3] http://www.squirrelmail.org/about.php

-- 
Jonathan Angliss
(jon@...irrelmail.org)



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ