Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Full Disclosure>
  3. Full-Disclosure
IMAP4rev1 2000.283 allows access to system files
fd at rshell
Aug 10, 2002, 10:31 AM
Post #1 of 5 (1075 views)
Permalink
Hi,

This just might be misconfiguration on the one imap server I have access
too, but It might not.

when trying to check what's up with my mail using telnet, I've
issued a command: LIST "*" "*" and to my suprise got a listing of the files
in my directory. I could run LIST "../*" "*" and get the listing of directories
above mine. and so forth. Well then i tought to my self how far can this go,
so i tried SELECT "/etc/hosts"; FETCH 1 (flags rfc822.text) and guess what
I saw... then I went on to CREATE "/tmp/MyTest". Writing into other
files is a little tricky but can be done with append after using select to
find out if the file is writable.


Cheers,
Guy

--
Unix Administration, | http://www.unixadmin.co.il
locally and remotely. | support@unixadmin.co.il
Planning, installation, | Phone: 972-3-6201373
support & upgrades. | Location: Unrestricted
Re: IMAP4rev1 2000.283 allows access to system files [ In reply to ]
tharbad at kaotik
Aug 10, 2002, 2:53 PM
Post #2 of 5 (1066 views)
Permalink
This is a known, old issue AFAIK.

Joao Gouveia
------------
tharbad@kaotik.org

On Sáb, 2002-08-10 at 18:31, Guy Cohen wrote:
> Hi,
>
> This just might be misconfiguration on the one imap server I have access
> too, but It might not.
>
> when trying to check what's up with my mail using telnet, I've
> issued a command: LIST "*" "*" and to my suprise got a listing of the files
> in my directory. I could run LIST "../*" "*" and get the listing of directories
> above mine. and so forth. Well then i tought to my self how far can this go,
> so i tried SELECT "/etc/hosts"; FETCH 1 (flags rfc822.text) and guess what
> I saw... then I went on to CREATE "/tmp/MyTest". Writing into other
> files is a little tricky but can be done with append after using select to
> find out if the file is writable.
>
>
> Cheers,
> Guy
>
> --
> Unix Administration, | http://www.unixadmin.co.il
> locally and remotely. | support@unixadmin.co.il
> Planning, installation, | Phone: 972-3-6201373
> support & upgrades. | Location: Unrestricted
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: IMAP4rev1 2000.283 allows access to system files [ In reply to ]
fd at rshell
Aug 11, 2002, 3:48 AM
Post #3 of 5 (1066 views)
Permalink
On Sat, Aug 10, 2002 at 10:53:21PM +0100, Joao Gouveia wrote:
> This is a known, old issue AFAIK.

I've tested seccessfuly on IMAP4rev1 2001.315. Can anyone confirm
this on even newer version?

>
> Joao Gouveia
> ------------
> tharbad@kaotik.org
>
> On Sáb, 2002-08-10 at 18:31, Guy Cohen wrote:
> > Hi,
> >
> > This just might be misconfiguration on the one imap server I have access
> > too, but It might not.
> >
> > when trying to check what's up with my mail using telnet, I've
> > issued a command: LIST "*" "*" and to my suprise got a listing of the files
> > in my directory. I could run LIST "../*" "*" and get the listing of directories
> > above mine. and so forth. Well then i tought to my self how far can this go,
> > so i tried SELECT "/etc/hosts"; FETCH 1 (flags rfc822.text) and guess what
> > I saw... then I went on to CREATE "/tmp/MyTest". Writing into other
> > files is a little tricky but can be done with append after using select to
> > find out if the file is writable.
> >
> >
> > Cheers,
> > Guy
> >
> > --
> > Unix Administration, | http://www.unixadmin.co.il
> > locally and remotely. | support@unixadmin.co.il
> > Planning, installation, | Phone: 972-3-6201373
> > support & upgrades. | Location: Unrestricted
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

--
Unix Administration, | http://www.unixadmin.co.il
locally and remotely. | support@unixadmin.co.il
Planning, installation, | Phone: 972-3-6201373
support & upgrades. | Location: Unrestricted
Re: Re: IMAP4rev1 2000.283 allows access to system files [ In reply to ]
listuser at seifried
Aug 11, 2002, 2:27 PM
Post #4 of 5 (1078 views)
Permalink
Uh. This is EXPECTED behaviour, as in "yes, we know about it, it's designed
to do this, and has been doing this since the dawn of time". If you do not
like it you can:

a) chroot the users to their home dir, which is a REAL pain in the ass if
their mail spool is in /var/spool/mail or something similar, you will also
need to copy various library files/etc in.
b) use a different imap server such as cyrus which uses an internal mail
store


Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
Re: Re: IMAP4rev1 2000.283 allows access to system files [ In reply to ]
dufresne at winternet
Aug 11, 2002, 3:06 PM
Post #5 of 5 (1080 views)
Permalink
an alternative, if these are pop/imap mail only accounts, is to give the
accounts a shell of /dav/null. Then they can get e-mail, but, are not
allowed to login or do much if anything else.

Additionally, internal production servers should notbe playing pop/imap
mail roles, at least not for external access.

Thanks,

Ron DuFresne


On Sun, 11 Aug 2002, Kurt Seifried wrote:

> Uh. This is EXPECTED behaviour, as in "yes, we know about it, it's designed
> to do this, and has been doing this since the dawn of time". If you do not
> like it you can:
>
> a) chroot the users to their home dir, which is a REAL pain in the ass if
> their mail spool is in /var/spool/mail or something similar, you will also
> need to copy various library files/etc in.
> b) use a different imap server such as cyrus which uses an internal mail
> store
>
>
> Kurt Seifried, kurt@seifried.org
> A15B BEE5 B391 B9AD B0EF
> AEB0 AD63 0B4E AD56 E574
> http://seifried.org/security/
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal