[33436] in bugtraq
Re: sqwebmail web login
daemon@ATHENA.MIT.EDU (Tim Nelson)
Thu Feb 5 03:35:32 2004
Date: Thu, 5 Feb 2004 09:57:04 +1100 (EST)
From: Tim Nelson <sysadmin@sunet.com.au>
To: Antonio Messina <messina@retiesistemi.it>
Cc: Marco Marabelli <mm@smrt.it>, bugtraq@securityfocus.com,
mrsam@courier-mta.com
In-Reply-To: <401F61EE.CF48EC27@retiesistemi.it>
Message-ID: <Pine.LNX.4.44.0402050949560.16397-100000@ganymede.bcc.local>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT
On Tue, 3 Feb 2004, Antonio Messina wrote:
> > platform:
> > linux 2.4 i386
> > pachages: qmail+sqwebmail+qmailadmin+vpopmail-vchkpw-auth.
>
> NOT with FreeBSD 4.5, kernel GENERIC, sqwebmail 3.3.3, vpopmail 5.2
>
> However, I think it's due to a misconfiguration. Root mailbox does NOT
> exist in default qmail installation: it's just an alias, not a real
> valid user.
Sqwebmail reads the filesystem directly, so will be doing this
itself. It doesn't depend on the qmail setup. Sqwebmail is part of the
Courier suite. While I am using all the other software in the courier
suite, I'm using SquirrelMail instead of sqwebmail. Sqwebmail accesses
the filesystem directly for performance reasons. But I prefer to keep my
web server and mail servers separate.
http://www.inter7.com/sqwebmail.html
So, I place the blame squarely on sqwebmail. However, I know the
Courier folks are quite responsive to security issues, so I've included
MrSam on this message.
:)
--
Tim Nelson
Systems Administrator
Sunet Internet
Tel: +61 3 5241 1155
Fax: +61 3 5241 6187
Web: http://www.sunet.com.au/
Email: sysadmin@sunet.com.au
