The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Volunerability in IMAP - ALERT

Discussion in 'General Discussion' started by SupermanInNY, Feb 25, 2004.

  1. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    Volunerability if you are using IMAP - ALERT

    Problem: Impact: any mail user can read all local files of the same "domain" account, and have full access to all other mailboxes in that account.

    [modedit:removed]

    This issue was presented to cPanel tech support 10 days ago and other than "forward to Developers" I have yet to see anyone actually addressing the issue.

    https://tickets.cpanel.net/review/?id=39491
     
    #1 SupermanInNY, Feb 25, 2004
    Last edited: Feb 25, 2004
  2. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    Re: Volunerability if you are using IMAP - ALERT

    Not sure it was a good idea to post this here. Maybe you shoud edit your post to suggest to people to shut down imapd for the time being.
     
  3. euselect

    euselect Well-Known Member

    Joined:
    Aug 3, 2003
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    I tried to reproduce this without any success.
    All my cpanel machines use cpimap not wu-imap

    I am running redhat linux and enterprise linux

    Unless cpimap is born of wu-imap , i dont see a problem ..

    What os was this fault reproduced on , out of interest.

    Cheers

    Neil
     
  4. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    OS is RH9.

    The problem is related to the cPanel mail users architecture.
    When you log in with your email user name you essentially log in with the domain username permission settings and therefore you can browse and traverse up and down the entire tree of your home directory.

    I'm curious that you were not able to reproduce this.
    Keep in mind that the "danger" in this entire volunerability is contained to each domain.
    The user is still JailShelled and can only do "damage" to his domain.

    A quick solution to fix this issue is to close port 143 and not to shutdown imapd. Why? As long as IMAP is maped to use the default port 143, users will not be able to connect to it from an outside program. However, Squirrlemail is using localhost and will function just fine.
    So as a quick fix,.. you can suggest all users use POP3 on their outlook Express and still let them use Squirlemail which uses IMAP4 on the server.

    I'll forward your experience to my techi to see if cpimap has somekind of a limiting environment. If it does, it may not be a bad idea to switch.

    -Alon.
     
  5. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    We are aware of the problem, and have been working on a patch. It was currently up to the process being tested on live servers when this post was made. We've put the change in edge, but its not 100% tested yet, AND MAY CAUSE PROBLEMS. We didn't want to put it out yet, but this posting has pushed things along. see the changelog for details.
     
Loading...
Similar Threads - Volunerability IMAP ALERT
  1. Chris-777
    Replies:
    3
    Views:
    419

Share This Page