[prev in list] [next in list] [prev in thread] [next in thread] 

List:       imp
Subject:    Re: [imp] BUG?
From:       Steven Stern <sds-email-list () mindspring ! com>
Date:       2004-01-11 17:07:27
Message-ID: uk0300p1jhoer9lvhm6u7ptmcaebus1pdi () 4ax ! com
[Download RAW message or body]

On Sun, 11 Jan 2004 17:38:38 +0100, Albert <albert@mentes.org> wrote:

>At 17:09 11/01/2004, you wrote:
>>On Sat, 10 Jan 2004 22:48:22 -0500, Chuck Hagenbuch <chuck@horde.org> wrote:
>>
>> >mailbox.php?mailbox=/etc/passwd
>>
>>Argh.  That happens on my box, too, using the default Fedora IMAP server. How
>>should I lock it down to prevent it?
>
>Hello,
>If you use Apache, You can use the mod_security:
>
>http://www.modsecurity.org/
>
>In the mod_security section in my httpd.conf I prevent it at this way:
>
>SecFilter mailbox=/ "redirect:https://webmail.host.org"
>
>P.D. You must make more filters to prevent path traversal..etc...etc.... ;)
>
>Regards,
>Albert


Wouldn't it make more sense to patch mailbox.php to prevent opening a mailbox
that's not on the folders list?  I don't know PHP... anyone up to the task?

-- 
IMP mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: imp-unsubscribe@lists.horde.org

[prev in list] [next in list] [prev in thread] [next in thread]