Justus Pendleton writes:
> --- /usr/src/sqwebmail/sqwebmail-3.1.0.20011006/sqwebmail/sqwebmail.c Thu Sep 27
>02:15:08 2001
> +++ sqwebmail.c Mon Oct 15 13:51:54 2001
> @@ -1739,6 +1739,15 @@
>
> || last_time + timeoutsoft < current_time)
> {
> + cgiformdatatempdir("tmp");
> + cgi_setup(); /* Read CGI environment */
> + if (*cgi("savedraft") || *cgi("sendmsg")) {
> + char* newmsg_createdraft (const char *curdraft);
> + char* p = newmsg_createdraft (cgi("draftmessage"));
> + if (!p) enomem();
> + free (p);
> + }
> +
> setgid(getgid());
> setuid(getuid()); /* Drop root prevs */
> chdir("/");
This is going to scribble all over your maildir, as root - not something you
really want to happen.
Setting this tiny glitch aside, the problem with this is that now anyone who
knows at least one valid mail account name on this server will now be able
to fill the account with crap. Do it long enough, and you'll run out of
disk space.
Of course, there may be other ways to bomb the account, or to DOS the
server, but that's somebody else's problem.
--
Sam
