Index:
[thread]
[date]
[subject]
[author]
From: David Harris <dharris@drh.net>
To : <imapvpop@davideous.com>
Date: Tue, 11 Jan 2000 22:00:36 -0500
[background07] Alex Howansky getwpman replacement 3 of 3
I ran into a guy that created a getpwman replacement patch for uwimap and
shared my concerns. He then tested his code and found a security hole, which
he fixed. This verified my suspicions.
In this e-mail I tell him about another concern I have.
(You can see from the third paragraph that I was a little up-tight about
that I release before now. Right now I just want to get the patch out the
door. Oh well.)
- David Harris
Principal Engineer, DRH Internet Services
-----Original Message-----
From: David Harris [mailto:dharris@drh.net]
Sent: Friday, December 31, 1999 2:10 PM
To: Alex Howansky [alex@wankwood.com]
Subject: RE: [imp] Updated UW-IMAP patch to allow virtual users
I forgot to tell you about another possible problem. Do you know what value
sysInBox in env_unix.c is being set to? You need to make sure that this
variable is not set, because you could end up reading
/var/spool/mail/USERNAME by accident. For example, you might have a virtual
user with the same username as a real UNIX user on your system. UNIX
permissions will probably save you here, but things could get screwed up.
I'd be happy to give you a copy of my patch. I just ask that you don't
integrate it into your code, show it around, or otherwise publish it yet...
I've put a good bit of work into it and I want to publish it on
davideous.com... and I'm also very careful about what I put my name on and
release... and it's also got a bit of proprietary authentication backend in
the current state (which will be replaced with a generic backend when I
release it)... so consider this a "pre-beta" evaluation copy.
Does that work for you?
- David Harris
Principal Engineer, DRH Internet Services
-----Original Message-----
From: Alex Howansky [mailto:alex@wankwood.com]
Sent: Thursday, December 30, 1999 6:41 PM
To: imp@horde.org
Subject: [imp] Updated UW-IMAP patch to allow virtual users
I've updated my patches to address the issue brought up by David Harris
regarding users being able to read other users' mail by using a carefully
crafted foldername. I threw everything I had at it and couldn't break
it. YMMV. :)
The new version is available at http://www.wankwood.com/getpg/
Thanks again David.
--
Alex Howansky
alex@wankwood.com
http://www.wankwood.com/
--
IMP mailing list: http://web.horde.org/
To unsubscribe, e-mail: imp-unsubscribe@horde.org
For additional commands, e-mail: imp-help@horde.org
Index:
[thread]
[date]
[subject]
[author]