COMMAND

	imap-uw remote file access

SYSTEMS AFFECTED

	All versions

PROBLEM

	In                        Security.NNOV                         advisory
	[http://www.security.nnov.ru/advisories/courier.asp]:
	

	Imap-uw allows user to access any file he could  access  locally.  It\'s
	not a bug it\'s insecurity by design (it was not  created  with  security
	in mind ;-). According FAQ from vendor\'s web site (it\'s not  mentioned
	in a FAQ inside program distribution):
	

	-=-=-=-=-=-=-
	

	5.1 I see that the IMAP server allows access to arbitary  files  on  the
	system, including /etc/passwd! How do I disable this?
	

	You should not worry about this if your IMAP users are allowed  shell  access.
	The IMAP server does not permit any access that the user can not have  via
	the shell. If, and only if, you deny your IMAP users shell  access,  you
	may want to consider one of  three  choices.  Note  that  these  choices
	reduce IMAP  functionality,  and  may  have  undesirable  side  effects.
	Each  of  these  choices  involves  an   edit   to   file   src/osdep/unix/env_unix.c
	

	The first (and recommended) choice is to set restrictBox as described  in
	file CONFIG. This will disable access to the filesystem root,  to  other
	users\' home directory, and to superior directory.
	

	The second (and strongly NOT recommended) choice is to set closedBox  as
	described in file CONFIG. This puts each IMAP session into  a  so-called
	\"chroot jail\", and thus setting this option  is  extremely  dangerous;
	it can make your system much less secure  and  open  to  root  compromise
	attacks. So do not use this option unless you are absolutely  certain  that
	you understand all the issues of a \"chroot jail.\"
	

	The third choice is to rewrite  routine  mailboxfile()  to  implement  whatever
	mapping  from  mailbox  name  to  filesystem  name   (and   restrictions)
	that you wish. This is the most general choice.  As  a  guide,  you  can
	see at the start of routine mailboxfile() what  the  restrictBox  choice
	does.
	

	-=-=-=-=-=-
	

	It should be noted that restrictBox/closedBox  is  not  described  in  neither
	CONFIG nor any other document from program distribution at all  (as  for
	imap-2001a)... And even if you smart enough to check the FAQ on the  web
	site after you red the FAQ in source  distribution  restrictBox  can  be
	bypassed in  case  of  any  Windows  builds  (for  example  http://sourceforge.net/projects/uw-imap-cygwin/)
	because \'\\\\\' symbol is never checked. Hope nobody uses UW  under  NT
	or a version  from  OS  ports  distribution  in  production  environment
	because as far as I can see port maintainers do not change the value  of
	closedBox :).
	

	I\'m not sure if there are utilities to access file system via  imap-uw,
	a created a small set of tools you can download imaptools.tgz from
	

	http://www.security.nnov.ru/search/news.asp?binid=2063

	

	

	 it includes:

	

	  imapget.c - to retrieve file via imap-uw, usage example:

	    imapget imap.host.name /etc/passwd > passwd

	    it should work for both text and binary files.

	

	  imapls.c - to get a file listing, usage example:

	    imapls imaphostname /tmp/\\* > ls-tmp

	

	  imaprm.c, imapmkdir.c - hope you catch the idea.

	

	it\'s also possible to create file with any name in mailbox format.

SOLUTION

	see upper.