On Thu, Apr 28, 2005 at 11:20:22PM +1000, Andrew Pollock wrote: > openwebmail is orphaned, but has only been so for 32 days. > > That said, it's got security issues, and hasn't been part of a stable > release. > > So I'm personally inclined not to let it linger for a while on the grounds > that it's got security issues, and just get it the hell out of the archive. > It's not like Debian's short of webmail packages. > > That said, a non-DD has prepared an updated package as of a week ago, but no > one has sponsored it yet. > > Just wondering what peoples' thoughts are?
I took a look at the current upstream version (2.51). * cgi-bin/openwebmail/modules/tool.pl: Upstream no longer uses completely predictable temporary filenames, but the race condition between checking whether a file exists and actually opening it is still there. * cgi-bin/openwebmail/openwebmail-abook.pl: The user can execute arbitrary commands by passing "file=; ... |" to addrviewatt(). * cgi-bin/openwebmail/openwebmail-folder.pl: The user can execute arbitrary commands by passing "folder=; ... |" to downloadfolder(). * cgi-bin/openwebmail/openwebmail-webdisk.pl: If the user has FTP access and uploads a file named "; ... |", editfile() and downloadfile() will execute the command. * cgi-bin/openwebmail/openwebmail-webdisk.pl: The user can execute arbitrary commands by uploading a URL in the form "http://foo/; ...". I stopped looking at this point. The code is rife with vulnerabilities, and needs to be audited line by line; I'm not sure this is likely anytime soon. I think we should remove it. (It can always be added back if it's fixed.) Thanks, Matej -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
