Bug#514044: By default atmailopen act as an open imap/pop3 proxy

Tue, 03 Feb 2009 10:15:17 -0800 

Package: atmailopen
Version: 1.03+dfsg+svn91-1
Severity: grave
Tags: security
Justification: user security hole

When atmailopen is enabled on a site by editing /etc/atmailopen/apache.conf
or /etc/atmailopen/lighttpd.conf the software allows anyone with access to
the web server to make a connection from that server to any imap or pop3
host.

This can be prevented by setting allowed_mailservers and/or mailserver in
/usr/share/atmailopen/libs/Atmail/Config.php to localhost. This should be
the default.

-- System Information:
Debian Release: 5.0
  APT prefers stable
  APT policy: (990, 'stable'), (400, 'testing'), (300, 'experimental'), (300, 
'unstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-rvdb
Locale: LANG=en_US.ISO-8859-15, LC_CTYPE=en_US.ISO-8859-15 (charmap=ISO-8859-15)

Versions of packages atmailopen depends on:
ii  apache2            2.2.9-10+lenny2       Apache HTTP Server metapackage
ii  apache2-mpm-prefor 2.2.9-10+lenny2       Apache HTTP Server - traditional n
ii  dbconfig-common    1.8.29+etch1          common framework for packaging dat
ii  debconf [debconf-2 1.5.11etch2           Debian configuration management sy
ii  fckeditor          1:2.6.2-1             rich text format javascript web ed
ii  libjs-prototype    1.6.0.2-4             JavaScript Framework for dynamic w
ii  mysql-client       5.0.32-7etch8         mysql database client (meta packag
ii  mysql-client-5.0 [ 5.0.32-7etch8         mysql database client binaries
ii  php-date           1.4.7-1               PHP PEAR module for date and time 
ii  php-db             1.7.13-2              PHP PEAR Database Abstraction Laye
ii  php-mail           1.1.14-1              PHP PEAR module for sending email
ii  php-mail-mime      1.5.2-0.1             PHP PEAR module for creating MIME 
ii  php-net-ldap       1:1.1.1-1             a OO interface for searching and m
ii  php-net-smtp       1.3.1-1               PHP PEAR module implementing SMTP 
ii  php-net-socket     1.0.8-2               PHP PEAR Network Socket Interface 
ii  php5               5.2.6.dfsg.1-1+lenny2 server-side, HTML-embedded scripti
ii  php5-mysql         5.2.6.dfsg.1-1+lenny2 MySQL module for php5

atmailopen recommends no packages.

-- debconf information excluded



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to