Topic:          remote user can create arbitrary directory on the openwebmail server

Announced:      2004-04-09
Credits:	Eric Wheeler, ewheeler.AT.nsci.us, National Security Concepts, Inc. 

Affects:        all versions before 20040409
Corrected:      openwebmail versions after 2.30 20040409

Patches:        http://openwebmail.org/openwebmail/download/cert/patches/SA-04:02/
                http://turtle.ee.ncku.edu.tw/openwebmail/download/cert/patches/SA-04:02/

I.   Background

     If option use_syshomedir is set to 'no' or create_syshomedir is set to
     'yes' in openwebmail.conf, openwebmail will create directories for users 
     in case the user homedir doesn't exist when user login.

II.  Problem Description

     The home directory creation is done before user authentication, 
     so the user can input some special pattern of usernames to have the login 
     script create arbitrary directory.

III. Impact

     Remote user can create arbitrary directory on openwebmail server
     
IV.  Workaround

     No.

V.   Solution

     A. upgrade to the latest openwebmail-current.tar.gz

     B. or apply the patch in

     http://openwebmail.org/openwebmail/download/cert/patches/SA-04:02/
     http://turtle.ee.ncku.edu.tw/openwebmail/download/cert/patches/SA-04:02/