From: David Harris <email@example.com>
To : <firstname.lastname@example.org>
Date: Tue, 11 Jan 2000 22:00:30 -0500
[background06] Alex Howansky getwpman replacement 2 of 3
I ran into a guy that created a getpwman replacement patch for uwimap and
shared my concerns. He then tested his code and found a security hole, which
he fixed. This verified my suspicions.
This e-mail is where he verified my suspicions.
- David Harris
Principal Engineer, DRH Internet Services
From: Alex Howansky [mailto:email@example.com]
Sent: Wednesday, December 29, 1999 1:58 PM
To: David Harris
Subject: IMAP patches
I hope you don't mind me mailing you directly -- I don't think this belongs
the Imp list.
I wouldn't mind helping out with the PostgreSQL side of your mods, but I
have an immediate need for this type of patch, so I'm continuing with mine
With your comments in mind, I changed the code in the mailboxfile() function
env_unix.c so that the checks for "..", "//", and "/~" in the mailbox name
occur for every mailbox name, not just for blackbox/anonymous use. This
the problem with a user being able to specify a mailbox name like
"../anotheruser". However, with a little further experimenting, I discovered
that they could still specify an absolute pathname as a mailbox name. For
example, if my virtual user layout is like this:
... usera could specify "/virtual/domain2.com/userc" as a mailbox and read
userc's mail. Thanks for your info earlier, I appreciate the objectiveness.
return, I just wanted to let you know that I had discovered this, in case
hadn't already done the same, and in case your own code might be vulnerable.
I fixed the problem by undoing my previous mods and simply rejecting any
that has ".." or '~' anywhere in it, or that begins with '/'. It works for
everything I threw at it.
If you don't mind, I have two questions for you. One, do you think this
check is sufficient? Two, I don't understand why the UW code checks for "//"
and "/~" -- are these special IMAP folder names?