l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2003 Jun 23 22:59

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox] [Fwd: Invalid SquirrelMail Exploit]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox] [Fwd: Invalid SquirrelMail Exploit]

FYI for SM (response to accusation they were at fault for exploit)

Summary: it was a UW IMAP Server. The problem does not appear to be an
issue with courier...

There is also a second notice that is still being researched.


---------------------------- Original Message ----------------------------
Subject: Invalid SquirrelMail Exploit
From:    "Jonathan Angliss" <jon@squirrelmail.org>
Date:    Mon, June 23, 2003 13:26
To:      bugtraq@securityfocus.com


I'm writing to correct a fatal reporting that was posted to one of the
security focus mailing lists about SquirrelMail.  It discusses files being
accessible via the SquirrelMail website, and criticizes
SquirrelMail to be at fault.  The details for the exploit can be seen on
the bugtraq website [1].

Fortunately it is an invalid accusation. Even minor exploration would
point the issue to the imap server itself. I'd like to draw peoples
attention to the University of Washington's IMAP FAQ page [1], it
clearly describes details on accessing /etc/passwd as detailed in the
bugtraq item that was submitted.

I'd be grateful if that portion of the ticket was revoked as invalid, as
any testing performed with other IMAP servers such as Courier-IMAP, or
Cyrus all return no mailboxes.

The file moving/deletion vulnerability would also appear to be an IMAP
dependant issue, as you cannot access arbitrary files from other IMAP
servers, as other IMAP servers don't appear to treat all files

I am currently looking into the privilege escalation 'issue' that was also
posted as part of the bug.

Please note in future that any security related issues can be posted to
any member of the SquirrelMail leadership team [2], or any of the mailing
lists.  We also have a dedicated mailing address for security alerts at

  [1] http://www.securityfocus.com/bid/7952
  [2] http://www.washington.edu/imap/IMAP-FAQs/index.html#5.1
  [3] http://www.squirrelmail.org/about.php

Jonathan Angliss

vox mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.