SquirrelMail  
Donations
News
About
Support
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties













Security Notice
Phishing campain
Version 1.4.15
Security Upgrade

With older versions of SquirrelMail, and possibly with current versions if some recent reports are to be believed, it is possible to show non-mail files within SquirrelMail. This includes sensitive files, such as /etc/passwd and others.

There has been a lot of discussion about this in the past, so check the mailing list archives for more information. It's true, this can be done with SquirrelMail, but it can be done with any IMAP client that can connect to your IMAP server. It's a known problem with the UW IMAP server, not SquirrelMail. There was at one point a SquirrelMail-specific workaround for this UW problem, so upgrade to the latest SquirrelMail release just to make sure.

The problem is that UW will give you the contents of any file that it has access to, so long as you tell it that file's a Mailbox folder. What you've essentially done when you get non-mail files in SquirrelMail is tell the IMAP server that the file (ex: /etc/passwd) is a mailbox folder, and the IMAP server gave you the contents of it. The UW server shouldn't do this, but we can't control it.

Also, the huge folder list is another UW "feature." UW uses ~/ as the location for mail folders by default. The good folks at UW seem to think that the client should figure out what is a mail folder and what isn't, and just hands everything in the users home dir over when asked for a folder list.

So, how can I fix this?

  • The easiest and probably the best is to not use UW. It's terribly slow with large mailboxes. Courier-IMAP is significantly better, and extremely easy to convert to. Install Courier, run the 'convert-and-create' script (get it from qmail.org) or any of its peers/variants, and change the SquirrelMail config from 'uw' to 'courier'. It'll work better, it'll work faster, and it'll be more secure. Regardless of what you may have heard, converting to Courier-IMAP does not break POP3 access, does not require Sendmail changes, does not require a ton of work at all.
    • More info from Tyler:
      • Courier uses Maildir, right? Well, you just install procmail and set up a global configuration file to save the incoming mail in a Maildir format. Then, you configure Sendmail to route all incoming mail through procmail. Voila!
  • You can change the source so that all mail folders are in a specific subdirectory of the user. See your-imap-source/doc/CONFIG. (As of IMAP-2000a it was Example 2. on line 35). One other important note. If you do this don't set the default folder prefix in SquirrelMail config. If you do, the subscribe/unsubscribe will not list anything, and folder dropdowns (like "move selected to" and the one under search) will be empty.
  • Don't allow the IMAP server or imapd (or httpd/apache or any other non-critical process) to have access to sensitive files. This is one of those 'duh' things, but it leaves your system wide open. An example: One of your users creates a web-based 'file browser' with PHP or Perl or some such. This 'file browser' has access to all the files that your web server has access to since your web browser runs as the user nobody or httpd or whomever the web server is setup to run as. (Typically, the nobody/httpd user has read access to nearly everything and write access to far too much.) Because the file browser runs as the web server, it has read and/or write access to all or nearly all files on your system. If this idea doesn't send shivers up your spine, you really don't need to be running servers of any kind.
  • If your password file is not shadowed, go shadow it IMMEDIATELY. Stop reading this FAQ and go, now.

There is a FAQ on this at UW. The below link jumps you to the appropriate section -- you still need to scroll down to the right question. (Read them all! There's tons of good info in there!)

http://www.washington.edu/imap/IMAP-FAQs/faqs.xml#problems

There is also a patch that is in 1.1.3 and will be in 1.2.0 (it's in pre-release testing as of July 16, 2001). The should help you out with the folder list problem (but may not help with the sensitive file access problem) if you don't want to patch UW and you don't want to switch to a better IMAP server. You will need to set the server type to 'uw' and the default folder prefix to the directory for the mail folders. This may not solve all of your problems, so be forewarned.


Don't confuse the performance problem with being able to read all the files on the system. The default UW IMAP performs poorly because by default it has mbox style mailboxes. An mbox style mailbox is where all your messages are stored in a single file, so if you have a large mailbox with lots of messages, then it will be slow opening the large file.

Courier IMAP offers faster performance because it's default mailbox format is Maildir. Maildir stores each message in an individual file, so, now even if you have many thousands of messages, it's relatively speedy because opening a directory is a much less resource intensive task.

Now why is this significant? Well, it's possible to configure UW IMAP to use Maildir format. Once you go to Maildir format, performance is no longer an issue. The only issue then, is the risk of being able to browse non-mail files.


Courier is not a "better" IMAP server than UW IMAP. It is a different server that is optimized differently but it is not necessarily "better" as is stated above in this page several times. UW does use the mbox format by default. Read the UW IMAP FAQ, it explains why, yes the creators and maintainers of UW are aware of other mailbox formats (mbx, maildir) and why they are faster, but they still don't use them because they have other drawbacks - http://www.washington.edu/imap/IMAP-FAQs/index.html#4.5.

Note that mbox and mbx do NOT WORK WELL with NFS (if you load balance IMAP servers for example and share a spool). However formats better for NFS such as maildir are NOT COMPATIBLE with all the UNIX and Posix standards as is mbox (so it mbox works in fact much BETTER on many unix variants).

It is also untrue that Courier is "more secure" than UW IMAP.

If you use UW make sure you:

1. Configure to use a subdirectory of a users home directory for folders (which optimizes performance some and subscribe/unsubscribe is improved, see the CONFIG document that comes with the UW source).

2. Consider the mbx format (but if you want maildir then you will need a third party c-client driver, once you are going that far you might as well use another imap server such as Courier).

3. Dont use NFS, unless you patch third party driver and use maildir format.

Please don't misunderstand this, Courier is not inferior to UW either, they are DIFFERENT products and each works BETTER in the environment it is suited for. Pay attention and READ the docs that come with each, don't just use the lame advice of someone whom says one is "better" than the other without substantiating that.

© 1999-2010 by The SquirrelMail Project Team