Index: [thread] [date] [subject] [author] 
  From: David Harris <dharris@drh.net>
  To  : <imapvpop@davideous.com>
  Date: Tue, 11 Jan 2000 22:00:30 -0500

[background06] Alex Howansky getwpman replacement 2 of 3

I ran into a guy that created a getpwman replacement patch for uwimap and
shared my concerns. He then tested his code and found a security hole, which
he fixed. This verified my suspicions.

This e-mail is where he verified my suspicions.

 - David Harris
   Principal Engineer, DRH Internet Services


-----Original Message-----
From:	Alex Howansky [mailto:alex@wankwood.com]
Sent:	Wednesday, December 29, 1999 1:58 PM
To:	David Harris
Subject:	IMAP patches


I hope you don't mind me mailing you directly -- I don't think this belongs
on
the Imp list.

I wouldn't mind helping out with the PostgreSQL side of your mods, but I
also
have an immediate need for this type of patch, so I'm continuing with mine
for
now.

With your comments in mind, I changed the code in the mailboxfile() function
in
env_unix.c so that the checks for "..", "//", and "/~" in the mailbox name
occur for every mailbox name, not just for blackbox/anonymous use. This
cured
the problem with a user being able to specify a mailbox name like
"../anotheruser". However, with a little further experimenting, I discovered
that they could still specify an absolute pathname as a mailbox name. For
example, if my virtual user layout is like this:

/virtual/domain1.com/usera
/virutal/domain2.com/userb
/virtual/domain2.com/userc

... usera could specify "/virtual/domain2.com/userc" as a mailbox and read
userc's mail. Thanks for your info earlier, I appreciate the objectiveness.
In
return, I just wanted to let you know that I had discovered this, in case
you
hadn't already done the same, and in case your own code might be vulnerable.

I fixed the problem by undoing my previous mods and simply rejecting any
name
that has ".." or '~' anywhere in it, or that begins with '/'. It works for
everything I threw at it.

If you don't mind, I have two questions for you. One, do you think this
simple
check is sufficient? Two, I don't understand why the UW code checks for "//"
and "/~" -- are these special IMAP folder names?

TIA

--
Alex Howansky
alex@wankwood.com
http://www.wankwood.com/
Index: [thread] [date] [subject] [author]