retitle 301561 "RM: openwebmail -- RoQA; RC bugs, vulnerable code" reassign 301561 ftp.debian.org thanks
On Fri, Apr 29, 2005 at 12:07:06PM +0200, Matej Vela wrote: > On Thu, Apr 28, 2005 at 11:20:22PM +1000, Andrew Pollock wrote: > > openwebmail is orphaned, but has only been so for 32 days. > > > > That said, it's got security issues, and hasn't been part of a stable > > release. > > > > So I'm personally inclined not to let it linger for a while on the grounds > > that it's got security issues, and just get it the hell out of the archive. > > It's not like Debian's short of webmail packages. > > > > That said, a non-DD has prepared an updated package as of a week ago, but no > > one has sponsored it yet. > > > > Just wondering what peoples' thoughts are? > > I took a look at the current upstream version (2.51). > > * cgi-bin/openwebmail/modules/tool.pl: Upstream no longer uses completely > predictable temporary filenames, but the race condition between checking > whether a file exists and actually opening it is still there. > > * cgi-bin/openwebmail/openwebmail-abook.pl: The user can execute arbitrary > commands by passing "file=; ... |" to addrviewatt(). > > * cgi-bin/openwebmail/openwebmail-folder.pl: The user can execute arbitrary > commands by passing "folder=; ... |" to downloadfolder(). > > * cgi-bin/openwebmail/openwebmail-webdisk.pl: If the user has FTP access > and uploads a file named "; ... |", editfile() and downloadfile() will > execute the command. > > * cgi-bin/openwebmail/openwebmail-webdisk.pl: The user can execute > arbitrary commands by uploading a URL in the form "http://foo/; ...". > > I stopped looking at this point. The code is rife with vulnerabilities, and > needs to be audited line by line; I'm not sure this is likely anytime soon. > I think we should remove it. (It can always be added back if it's fixed.) > That's good enough reason for me. regards Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]