[2891] in bugtraq
Re: IMAPD security problems ?
daemon@ATHENA.MIT.EDU (Ian MacPhedran)
Thu Jul 4 18:32:34 1996
Date: Thu, 4 Jul 1996 16:18:10 -0600
Reply-To: Ian MacPhedran <Ian_MacPhedran@MACKENZIE.USASK.CA>
From: Ian MacPhedran <Ian_MacPhedran@MACKENZIE.USASK.CA>
X-To: Zvi Bar-Deroma <zvika@aeserv.technion.ac.il>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.A32.3.93.960704152720.28946D-100000@aeserv.technion.ac.il>
On Thu, 4 Jul 1996, Zvi Bar-Deroma wrote:
> One or 2 months ago there were some discussions concerning possible
> vulnerabilities in POPd (+ a suggestion for a "safe" server). I wonder
> whether these (or any other) vulnerabilities are known to exist in IMAP
> (specifically the version available from the uni. of Washington, home of
> "pine"). I did check that a "simple" simulated crack fails - after 3 bad
> pw's the connection is closed and one has to reconnect.
>
> /Zvika
Well, I'm not sure if you'd count this a vulnerability or not, but IMAPD
will allow users to read any files via their mailreader that they have
permission to read. (E.g. they can see the /etc/passwd file on your mail
server.) This might be a potential problem for places where they don't
allow interactive logins, and feel that people can't see files because of
that restriction.
Ian.
----------------------------------------------------------------------------
Ian MacPhedran, Engineering Computer Centre, 2B13 Engineering Building,
University of Saskatchewan, 57 Campus Drive, Saskatoon SK S7N 5A9, CANADA
Phone: (306)966-4832 Fax: (306)966-5205 Email: Ian_MacPhedran@engr.USask.CA
