Package: uw-imapd Version: 4:2001adebian-6 Severity: grave Tags: security, woody
uw-imapd and uw-imapd-ssl are insecure by default. They allow a logged in user to retrieve or manipulate any file on the filesystem. This was discovered as a squirrelmail bug, but is actually a UW-IMAP bug. The exploits do not work on other IMAP servers. Note: This is only relevant on systems where users are not supposed to have shell access (ie email-only users). Other users would be able to access these files anyway. More information is here: http://www.securityfocus.com/bid/7952/exploit/ See this Squirrelmail-devel thread: http://sourceforge.net/mailarchive/forum.php?thread_id=2641998&forum_id=7139 The UW-IMAP FAQ says that this is a known issue and reccomends a compile-time option to env_unix.c, setting "restrictBox" to prevent allowing users to access / and .. : http://www.washington.edu/imap/IMAP-FAQs/index.html#5.1 Please change this option for uw-imapd and uw-imapd-ssl. Thank you, -Chris
