- Added APOP, TLS and STLS support to mail_fetch plugin (#575299).
- Added Courier IMAP OUTBOX check to configtest utility.
- Moved login_form hook to its own table row on login page.
- - Added check_plugin_version() function
+ - Added check_plugin_version() function.
+ - If mailbox name starts with slash or contains ../, error message is
+ generated. Safety check for insecure default UW IMAP setup (#1557078).
Version 1.5.1 (branched on 2006-02-12)
--------------------------------------
if ($mailbox == 'None') {
return;
}
+
// cleanup $mailbox in order to prevent IMAP injection attacks
$mailbox = str_replace(array("\r","\n"), array("",""),$mailbox);
+
+ /**
+ * Default UW IMAP server configuration allows to access other files
+ * on server. $imap_server_type is not checked because interface can
+ * be used with 'other' or any other server type setting. $mailbox
+ * variable can be modified in any script that uses variable from GET
+ * or POST. This code blocks all standard SquirrelMail IMAP API requests
+ * that use mailbox with full path (/etc/passwd) or with ../ characters
+ * in path (../../etc/passwd)
+ */
+ if (strstr($mailbox, '../') || substr($mailbox, 0, 1) == '/') {
+ global $oTemplate;
+ error_box(sprintf(_("Invalid mailbox name: %s"),htmlspecialchars($mailbox)));
+ sqimap_logout($imap_stream);
+ $oTemplate->display('footer.tpl');
+ die();
+ }
+
$read = sqimap_run_command($imap_stream, 'SELECT ' . sqimap_encode_mailbox_name($mailbox),
true, $response, $message);
$result = array();
$mailbox = (isset($mailbox) && $mailbox) ? $mailbox : 'INBOX';
-/* compensate for the UW vulnerability. */
-if ($imap_server_type == 'uw' && (strstr($mailbox, '../') ||
- substr($mailbox, 0, 1) == '/')) {
- $mailbox = 'INBOX';
-}
/**
* Set the global settings for a mailbox and merge them with the usersettings
* for the mailbox. In the future we can add more mailbox specific preferences
projects / squirrelmail.git / commitdiff