Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Server)  >   Horde Internet Messaging Program (IMP) Vendors:   [Multiple Authors/Vendors]
(Caldera Linux Issues Fix for More IMP Problems) Internet Messaging Program (IMP) Web-based E-mail System Allows Local Users to Write Arbitrary Contents to Existing Files on the Server
SecurityTracker Alert ID:  1002154
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 7 2001
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): imp-2.2.4
Description:   A vulnerability was reported in the Internet Messaging Program (IMP) PHP-based e-mail system. The security hole allows users to write arbitrary contents to existing files on the server.

The IMP webmail package reportedly uses predictable temporary filenames when processing uploaded attachments or when 'viewing' attachments.

When a remote user composes a new e-mail message, any attachments are uploaded to the IMP server. Some PHP code first processes the file upload and creates a temporary file (the file is created in the "upload_tmp_dir" specified in php.ini, or in /tmp). The temporary filename is of the form "/tmp/phpXXXXXX", where the "X" characters are intended to be random. Next, IMP's compose.php3 copies the temporary file for safekeeping. The destination filename that IMP uses is /tmp/phpXXXXXX.att. IMP reportedly fails to check if the destination file already exists (and the destination file is opened without the O_EXCL flag). As a result, a local user can watch the temporary directory for phpXXXXXX files and can quickly create a symlink using the command: 'ln -s /tmp/phpXXXXXX.att /to/webserver_writable_file' to cause the IMP program to write an attachment to another existing file on the server.

In addition, IMP may allow local users to write to files on the server by another method. IMP reportedly can use external viewers for viewing certain e-mail message attachments. Before calling an external viewer, IMP (imp/lib/mimetypes.lib) will save the attachment to a temporary file using a filename of the form: /tmp/imp.'.date('Y-M-D_H:i:s').'__'.md5($contents). As a result, the filename is easy to guess and the file is opened without O_EXCL. This allows another opportunity for a local user to cause an existing file on the server to be overwritten.

Impact:   A local user can write arbitrary contents to existing files on the server.
Solution:   The vendor has released a fix. See the Source Message for the vendor's advisory containing directions on how to obtain the appropriate fix.
Vendor URL: (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Caldera/SCO)
Underlying OS Comments:  tested imp-2.2.4 on Linux and AIX (with php-4.0.5/php-3.0.18), but all platforms are likely to be affected.

Message History:   This archive entry is a follow-up to the message listed below.
Jun 1 2001 Internet Messaging Program (IMP) Web-based E-mail System Allows Local Users to Write Arbitrary Contents to Existing Files on the Server

 Source Message Contents

Subject:  Security Update [CSSA-2001-026.0] Linux - Security problems in imp

Hash: SHA1

		   Caldera International, Inc.  Security Advisory

Subject:		Linux - Security problems in imp
Advisory number: 	CSSA-2001-027.0
Issue date: 		2001, July 31
Cross reference:

1. Problem Description

    There are several security problems with IMP, a PHP based webmail
    application, shipped as part of OpenLinux 3.1 Server. These
    vulnerabilities allowed attackers to execute commands with the
    privileges of the httpd account.

2. Vulnerable Versions

   System                       Package
   OpenLinux 2.3                 not vulnerable                
   OpenLinux eServer 2.3.1       not vulnerable                
   and OpenLinux eBuilder                                      
   OpenLinux eDesktop 2.4        not vulnerable                
   OpenLinux Server 3.1          All packages previous to      
				 imp-2.2.6-1 and
   OpenLinux Workstation 3.1     not vulnerable                

3. Solution


     If you do not need imp/horde, remove the packages:

      rpm -e imp horde

   The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

    not vulnerable

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

    not vulnerable

6. OpenLinux eDesktop 2.4

    not vulnerable

7. OpenLinux 3.1 Server

    7.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       The corresponding source code package can be found at:

   7.2 Verification

       9dfb2e378b4b81d481fd1b1d55a362aa  RPMS/horde-1.2.6-1.i386.rpm
       bb45a7379b387c1ac2760aa4cba22eea  RPMS/imp-2.2.6-1.i386.rpm
       4f9c59f24c2003a181bc935297045bc5  SRPMS/horde-1.2.6-1.src.rpm
       2fe6c5f4aa9e20245f05d45377967671  SRPMS/imp-2.2.6-1.src.rpm

   7.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh horde-1.2.6-1.i386.rpm imp-2.2.6-1.i386.rpm

8. OpenLinux 3.1 Workstation

    not vulnerable

9. References

   This and other Caldera security resources are located at:

   This security fix closes Caldera's internal Problem Report 10264.

10. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through our
   security advisories. Our advisories are a service to our customers
   intended to promote secure installation and use of Caldera OpenLinux.

Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see


To unsubscribe, e-mail:
For additional commands, e-mail:


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC