[Full-Disclosure] Re: IMAP4rev1 2000.283 allows access to system files

From: Guy Cohen (full-disclosure@lists.netsys.com)
Date: 08/11/02


From: full-disclosure@lists.netsys.com (Guy Cohen)
Date: Sun, 11 Aug 2002 13:48:25 +0300

On Sat, Aug 10, 2002 at 10:53:21PM +0100, Joao Gouveia wrote:
> This is a known, old issue AFAIK.

I've tested seccessfuly on IMAP4rev1 2001.315. Can anyone confirm
this on even newer version?

>
> Joao Gouveia
> ------------
> tharbad@kaotik.org
>
> On Sáb, 2002-08-10 at 18:31, Guy Cohen wrote:
> > Hi,
> >
> > This just might be misconfiguration on the one imap server I have access
> > too, but It might not.
> >
> > when trying to check what's up with my mail using telnet, I've
> > issued a command: LIST "*" "*" and to my suprise got a listing of the files
> > in my directory. I could run LIST "../*" "*" and get the listing of directories
> > above mine. and so forth. Well then i tought to my self how far can this go,
> > so i tried SELECT "/etc/hosts"; FETCH 1 (flags rfc822.text) and guess what
> > I saw... then I went on to CREATE "/tmp/MyTest". Writing into other
> > files is a little tricky but can be done with append after using select to
> > find out if the file is writable.
> >
> >
> > Cheers,
> > Guy
> >
> > --
> > Unix Administration, | http://www.unixadmin.co.il
> > locally and remotely. | support@unixadmin.co.il
> > Planning, installation, | Phone: 972-3-6201373
> > support & upgrades. | Location: Unrestricted
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
Unix Administration,       |      http://www.unixadmin.co.il
locally and remotely.      |      support@unixadmin.co.il
Planning, installation,    |      Phone: 972-3-6201373
support & upgrades.        |      Location: Unrestricted