Index: [thread] [date] [subject] [author]
  From: David Harris <dharris@drh.net>
  To  : <imapvpop@davideous.com>
  Date: Tue, 11 Jan 2000 22:00:36 -0500

[background07] Alex Howansky getwpman replacement 3 of 3

I ran into a guy that created a getpwman replacement patch for uwimap and
shared my concerns. He then tested his code and found a security hole, which
he fixed. This verified my suspicions.

In this e-mail I tell him about another concern I have.

(You can see from the third paragraph that I was a little up-tight about
that I release before now. Right now I just want to get the patch out the
door. Oh well.)

 - David Harris
   Principal Engineer, DRH Internet Services


-----Original Message-----
From:	David Harris [mailto:dharris@drh.net]
Sent:	Friday, December 31, 1999 2:10 PM
To:	Alex Howansky [alex@wankwood.com]
Subject:	RE: [imp] Updated UW-IMAP patch to allow virtual users


I forgot to tell you about another possible problem. Do you know what value
sysInBox in env_unix.c is being set to? You need to make sure that this
variable is not set, because you could end up reading
/var/spool/mail/USERNAME by accident. For example, you might have a virtual
user with the same username as a real UNIX user on your system. UNIX
permissions will probably save you here, but things could get screwed up.

I'd be happy to give you a copy of my patch. I just ask that you don't
integrate it into your code, show it around, or otherwise publish it yet...
I've put a good bit of work into it and I want to publish it on
davideous.com... and I'm also very careful about what I put my name on and
release... and it's also got a bit of proprietary authentication backend in
the current state (which will be replaced with a generic backend when I
release it)... so consider this a "pre-beta" evaluation copy.

Does that work for you?

 - David Harris
   Principal Engineer, DRH Internet Services


-----Original Message-----
From:	Alex Howansky [mailto:alex@wankwood.com]
Sent:	Thursday, December 30, 1999 6:41 PM
To:	imp@horde.org
Subject:	[imp] Updated UW-IMAP patch to allow virtual users


I've updated my patches to address the issue brought up by David Harris
regarding users being able to read other users' mail by using a carefully
crafted foldername. I threw everything I had at it and couldn't break
it. YMMV. :)

The new version is available at http://www.wankwood.com/getpg/

Thanks again David.

--
Alex Howansky
alex@wankwood.com
http://www.wankwood.com/


--
IMP mailing list: http://web.horde.org/
To unsubscribe, e-mail: imp-unsubscribe@horde.org
For additional commands, e-mail: imp-help@horde.org


Index: [thread] [date] [subject] [author]