Hi,
I have noticed a security bug in vpopmail.
The first thing is the fact that we have to hard code the 'password' into
the vmysql.h
file before we compile vpopmail with the mysql=y option. That is bad.
Secondly, and most importantly, ANY user on the system can go in
/home/vpopmail/bin/
and do a "strings vuserinfo".
If you scroll up after doing the "strings vuserinfo",
you should look for lines similar to these:
dir = %s
vpopmail
secret
root
localhost
the second line is the database name (vpopmail), the third line is the
password (secret), the fourth line is
the username (root) and the last line is the host (localhost).
All this information is in CLEAR TEXT !
That is terrible. I would suggest maybe encrypting it at compile time
because I dont want users on my system
to gain 'root' access to my MYSQL database.
For now, the only alternative is to change the read permissions on all
binaries found in /home/vpopmail/bin/
That's all for now.
Thanks
== Alex ==
