Hi, I'm writing to correct a fatal reporting that was posted to one of the security focus mailing lists about SquirrelMail. It discusses files being accessible via the SquirrelMail website, and criticizes SquirrelMail to be at fault. The details for the exploit can be seen on the bugtraq website [1]. Fortunately it is an invalid accusation. Even minor exploration would point the issue to the imap server itself. I'd like to draw peoples attention to the University of Washington's IMAP FAQ page [1], it clearly describes details on accessing /etc/passwd as detailed in the bugtraq item that was submitted. I'd be grateful if that portion of the ticket was revoked as invalid, as any testing performed with other IMAP servers such as Courier-IMAP, or Cyrus all return no mailboxes. The file moving/deletion vulnerability would also appear to be an IMAP dependant issue, as you cannot access arbitrary files from other IMAP servers, as other IMAP servers don't appear to treat all files equally. I am currently looking into the privilege escalation 'issue' that was also posted as part of the bug. Please note in future that any security related issues can be posted to any member of the SquirrelMail leadership team [2], or any of the mailing lists. We also have a dedicated mailing address for security alerts at securityat_private [1] http://www.securityfocus.com/bid/7952 [2] http://www.washington.edu/imap/IMAP-FAQs/index.html#5.1 [3] http://www.squirrelmail.org/about.php -- Jonathan Angliss (jonat_private)
This archive was generated by hypermail 2b30 : Mon Jun 23 2003 - 13:38:05 PDT