Re: IMAPD security problems ?

[Ian_MacPhedran () MACKENZIE USASK CA (Ian MacPhedran)]

On Thu, 4 Jul 1996, Zvi Bar-Deroma wrote:
> One or 2 months ago there were some discussions concerning possible
> vulnerabilities in POPd (+ a suggestion for a "safe" server). I wonder
> whether these (or any other) vulnerabilities are known to exist in IMAP
> (specifically the version available from the uni. of Washington, home of
> "pine"). I did check that a "simple" simulated crack fails - after 3 bad
> pw's the connection is closed and one has to reconnect.
>
> /Zvika

Well, I'm not sure if you'd count this a vulnerability or not, but IMAPD
will allow users to read any files via their mailreader that they have
permission to read. (E.g. they can see the /etc/passwd file on your mail
server.) This might be a potential problem for places where they don't
allow interactive logins, and feel that people can't see files because of
that restriction.

Ian.
----------------------------------------------------------------------------
Ian MacPhedran,    Engineering Computer Centre,   2B13 Engineering Building,
University of Saskatchewan,  57 Campus Drive,  Saskatoon SK  S7N 5A9, CANADA
Phone: (306)966-4832 Fax: (306)966-5205  Email: Ian_MacPhedran () engr USask CA