Index: [thread] [date] [subject] [author]
  From: David Harris <>
  To  : <>
  Date: Tue, 11 Jan 2000 22:00:30 -0500

[background06] Alex Howansky getwpman replacement 2 of 3

I ran into a guy that created a getpwman replacement patch for uwimap and
shared my concerns. He then tested his code and found a security hole, which
he fixed. This verified my suspicions.

This e-mail is where he verified my suspicions.

 - David Harris
   Principal Engineer, DRH Internet Services

-----Original Message-----
From:	Alex Howansky []
Sent:	Wednesday, December 29, 1999 1:58 PM
To:	David Harris
Subject:	IMAP patches

I hope you don't mind me mailing you directly -- I don't think this belongs
the Imp list.

I wouldn't mind helping out with the PostgreSQL side of your mods, but I
have an immediate need for this type of patch, so I'm continuing with mine

With your comments in mind, I changed the code in the mailboxfile() function
env_unix.c so that the checks for "..", "//", and "/~" in the mailbox name
occur for every mailbox name, not just for blackbox/anonymous use. This
the problem with a user being able to specify a mailbox name like
"../anotheruser". However, with a little further experimenting, I discovered
that they could still specify an absolute pathname as a mailbox name. For
example, if my virtual user layout is like this:


... usera could specify "/virtual/" as a mailbox and read
userc's mail. Thanks for your info earlier, I appreciate the objectiveness.
return, I just wanted to let you know that I had discovered this, in case
hadn't already done the same, and in case your own code might be vulnerable.

I fixed the problem by undoing my previous mods and simply rejecting any
that has ".." or '~' anywhere in it, or that begins with '/'. It works for
everything I threw at it.

If you don't mind, I have two questions for you. One, do you think this
check is sufficient? Two, I don't understand why the UW code checks for "//"
and "/~" -- are these special IMAP folder names?


Alex Howansky

Index: [thread] [date] [subject] [author]