Re: [cpx] cpx - creates .imap folders in the /www/domain.com directory. = BAD

["Stormer's Cgi-Archive" <stormer@xxxxxxxxxxx>]

Rus,

I can reproduce it on any vps/mps I have.   They need to have dovecot
in order to pass pci scans. All I have to do is login as the domain
administrator.  Click on the mail tab in upper left.  Then click on
Folder List.  You have now just created a bunch of .imap folders in
the /www/domain.com folders of that domain administrator's account.  I
did duplicate this with a viaverio tech.

Because the domain administrator must have "webmail" access in order
to give end users access to webmail, the likelihood of duplicating
this problem is high.

In cpx, if it could be prevented from accessing /www directory when
you click on Folder List, it would solve the problem of these .imap
folders from being created.  OR, simply make it so the domain
administrator does not have webmail access via cpx.

James



On Wed, Jul 22, 2009 at 11:45 AM, Rus Berrett<rberrett@xxxxxxxxx> wrote:
> On Tue, Jul 21, 2009 at 08:58:23PM -0400, Stormer's Cgi-Archive wrote:
>>
>> Subject: [cpx] cpx - creates .imap folders in the /www/domain.com directory. = BAD
>>
>> This is just a heads up...
>>
>> Had a client today who has squirrelcart installed on a freebsd v3 mps.
>>
>> They had logged into cpx as the domain administrator.   They clicked
>> on the Mail tab at the top.  Then they clicked on the Folder List.
>>
>> viola... this parsed every file in the /www/domain.com folder and
>> created .imap folders in every directory and ... it created thousands
>> of individual directories all named the same as the files in the
>> respective directories... grief.  Trust me, if this were a vps3
>> viaverio would have sent me a cpu hog notice!  Because it was an mps
>> it handled it fairly good.
>>
>> Because the squirrellcart parses certain directories for images and
>> such and the .imap folders did not have permissions that were
>> readable, it instantly took their cart off line with multiple visible
>> php errors.
>>
>> After I removed all the .imap folders it fixed the cart.
>>
>> Is this a cart problem?   No.  This is a cpx problem.  It should not
>> allow mail folders in the /www directory "at all".
>>
>> I explained to my client what happened and how they can prevent this
>> in the future.  But really...  cpx needs to be idiot proofed.  If a
>> client can click on it.. "they will".
>>
>> Heads up!
>>
>> James
>
> James,
>
> I'm fairly certain that Dovecot creates those ".imap" directories.  I
> would start your investigation (with the assistance of support if
> necessary) looking at which folders your user is subscribed to via
> Dovecot/maildir.  It may be that the user has inadvertently subscribed
> to a folder that is not in his or her "Mail" directory.  (Note: It is
> impossible to subscribe to a folder outside of the Mail directory using
> CPX.  But obviously, CPX is not the only IMAP mail client out there.)
>
> HTH.
>
> cheers.
>
> --rus.
>
>
>
>>
>> --
>>
>> Stormer's Cgi-Archive
>> http://www.stormer.org
>> ======================================================================
>> This is <cpx@xxxxxxxxxxxxx>      <http://www.groupmail.org/lists/cpx/>
>> Before posting a question, please search the archives (see above URL).
>
> --
> ========================================================================
> Rus Berrett                                                    NTT/Verio
>                 See Perl. See Perl Run. Run Perl, Run!
>
> ======================================================================
> This is <cpx@xxxxxxxxxxxxx>      <http://www.groupmail.org/lists/cpx/>
> Before posting a question, please search the archives (see above URL).
>



-- 

Stormer's Cgi-Archive
http://www.stormer.org

======================================================================
This is <cpx@xxxxxxxxxxxxx>      <http://www.groupmail.org/lists/cpx/>
Before posting a question, please search the archives (see above URL).