Volunerability in IMAP - ALERT

S

SupermanInNY

Well-Known Member
Jul 19, 2003
255
0
166
Volunerability if you are using IMAP - ALERT

Problem: Impact: any mail user can read all local files of the same "domain" account, and have full access to all other mailboxes in that account.

[modedit:removed]

This issue was presented to cPanel tech support 10 days ago and other than "forward to Developers" I have yet to see anyone actually addressing the issue.

https://tickets.cpanel.net/review/?id=39491
 
Last edited:
rpmws

rpmws

Well-Known Member
Aug 14, 2001
1,787
10
318
back woods of NC, USA
Re: Volunerability if you are using IMAP - ALERT

Not sure it was a good idea to post this here. Maybe you shoud edit your post to suggest to people to shut down imapd for the time being.
 
E

euselect

Well-Known Member
Aug 3, 2003
51
0
156
I tried to reproduce this without any success.
All my cpanel machines use cpimap not wu-imap

I am running redhat linux and enterprise linux

Unless cpimap is born of wu-imap , i dont see a problem ..

What os was this fault reproduced on , out of interest.

Cheers

Neil
 
S

SupermanInNY

Well-Known Member
Jul 19, 2003
255
0
166
OS is RH9.

The problem is related to the cPanel mail users architecture.
When you log in with your email user name you essentially log in with the domain username permission settings and therefore you can browse and traverse up and down the entire tree of your home directory.

I'm curious that you were not able to reproduce this.
Keep in mind that the "danger" in this entire volunerability is contained to each domain.
The user is still JailShelled and can only do "damage" to his domain.

A quick solution to fix this issue is to close port 143 and not to shutdown imapd. Why? As long as IMAP is maped to use the default port 143, users will not be able to connect to it from an outside program. However, Squirrlemail is using localhost and will function just fine.
So as a quick fix,.. you can suggest all users use POP3 on their outlook Express and still let them use Squirlemail which uses IMAP4 on the server.

I'll forward your experience to my techi to see if cpimap has somekind of a limiting environment. If it does, it may not be a bad idea to switch.

-Alon.
 
cPanelNick

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,481
35
208
cPanel Access Level
DataCenter Provider
We are aware of the problem, and have been working on a patch. It was currently up to the process being tested on live servers when this post was made. We've put the change in edge, but its not 100% tested yet, AND MAY CAUSE PROBLEMS. We didn't want to put it out yet, but this posting has pushed things along. see the changelog for details.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
M How can I know if a user is connecting to email correctly using SSL on IMAP and/or POP3 Email 1
I SOLVED Outlook Imap configuration errors after Exim update Email 2
M Host Access Control sshd All deny blocking both sshd and imap in WHM 108.x Email 9
M MS Outlook: Outlook cannot connect to folder inbox from the IMAP email server Email 9
P IMAP connecting not working on Windows, does on mobile and MAC Email 4
Similar threads
How can I know if a user is connecting to email correctly using SSL on IMAP and/or POP3
SOLVED Outlook Imap configuration errors after Exim update
Host Access Control sshd All deny blocking both sshd and imap in WHM 108.x
MS Outlook: Outlook cannot connect to folder inbox from the IMAP email server
IMAP connecting not working on Windows, does on mobile and MAC
Top Bottom