Index: [thread] [date] [subject] [author]
  From: David Harris <>
  To  : <>
  Date: Tue, 11 Jan 2000 22:00:36 -0500

[background07] Alex Howansky getwpman replacement 3 of 3

I ran into a guy that created a getpwman replacement patch for uwimap and
shared my concerns. He then tested his code and found a security hole, which
he fixed. This verified my suspicions.

In this e-mail I tell him about another concern I have.

(You can see from the third paragraph that I was a little up-tight about
that I release before now. Right now I just want to get the patch out the
door. Oh well.)

 - David Harris
   Principal Engineer, DRH Internet Services

-----Original Message-----
From:	David Harris []
Sent:	Friday, December 31, 1999 2:10 PM
To:	Alex Howansky []
Subject:	RE: [imp] Updated UW-IMAP patch to allow virtual users

I forgot to tell you about another possible problem. Do you know what value
sysInBox in env_unix.c is being set to? You need to make sure that this
variable is not set, because you could end up reading
/var/spool/mail/USERNAME by accident. For example, you might have a virtual
user with the same username as a real UNIX user on your system. UNIX
permissions will probably save you here, but things could get screwed up.

I'd be happy to give you a copy of my patch. I just ask that you don't
integrate it into your code, show it around, or otherwise publish it yet...
I've put a good bit of work into it and I want to publish it on and I'm also very careful about what I put my name on and
release... and it's also got a bit of proprietary authentication backend in
the current state (which will be replaced with a generic backend when I
release it)... so consider this a "pre-beta" evaluation copy.

Does that work for you?

 - David Harris
   Principal Engineer, DRH Internet Services

-----Original Message-----
From:	Alex Howansky []
Sent:	Thursday, December 30, 1999 6:41 PM
Subject:	[imp] Updated UW-IMAP patch to allow virtual users

I've updated my patches to address the issue brought up by David Harris
regarding users being able to read other users' mail by using a carefully
crafted foldername. I threw everything I had at it and couldn't break
it. YMMV. :)

The new version is available at

Thanks again David.

Alex Howansky

IMP mailing list:
To unsubscribe, e-mail:
For additional commands, e-mail:

Index: [thread] [date] [subject] [author]