Invalid SquirrelMail Exploit

[Jonathan Angliss <jon () squirrelmail org>]

Hi,

I'm writing to correct a fatal reporting that was posted to one of the
security focus mailing lists about SquirrelMail.  It discusses files
being accessible via the SquirrelMail website, and criticizes
SquirrelMail to be at fault.  The details for the exploit can be seen
on the bugtraq website [1].

Fortunately it is an invalid accusation. Even minor exploration would
point the issue to the imap server itself. I'd like to draw peoples
attention to the University of Washington's IMAP FAQ page [1], it
clearly describes details on accessing /etc/passwd as detailed in the
bugtraq item that was submitted.

I'd be grateful if that portion of the ticket was revoked as invalid,
as any testing performed with other IMAP servers such as Courier-IMAP,
or Cyrus all return no mailboxes.

The file moving/deletion vulnerability would also appear to be an IMAP
dependant issue, as you cannot access arbitrary files from other IMAP
servers, as other IMAP servers don't appear to treat all files
equally.

I am currently looking into the privilege escalation 'issue' that was
also posted as part of the bug.

Please note in future that any security related issues can be posted
to any member of the SquirrelMail leadership team [2], or any of the
mailing lists.  We also have a dedicated mailing address for security
alerts at security () squirrelmail org.

  [1] http://www.securityfocus.com/bid/7952
  [2] http://www.washington.edu/imap/IMAP-FAQs/index.html#5.1
  [3] http://www.squirrelmail.org/about.php

-- 
Jonathan Angliss
(jon () squirrelmail org)