Powered by Invision Power Board


  Reply to this topicStart new topicStart Poll

> IMAP is displaying all my website contents!
fabrizio
Posted: Jul 1 2007, 06:20 AM
Quote Post





Group: Members
Posts: 156
Member No.: 19
Joined: 16-July 02



Hello,
I have just configured my new iPhone e-mail client to read my mail by using IMAP and it works fine. The only problem is that when I display my mailboxes I can see all the contents of my website (files, directories, etc)! I don't understand how that can happen, I think it's a big security flaw too! Any idea to avoid this on server side?

Thank you in advance.

Best,
Fabrizio


--------------------
-----------------------------------------
Fabrizio Ferrari - 'Violinist, contemporary and computer music composer'
E-MAIL: fabrizio@virtualsheetmusic.com
http://www.musicianspage.com
http://www.virtualsheetmusic.com
PMUsers Website
Top
andy
Posted: Jul 1 2007, 12:10 PM
Quote Post





Group: Advantagecom Staff
Posts: 4,140
Member No.: 9
Joined: 12-July 02



I really don't know anything about the iPhone or what information you have to give it for it to download email, but my suspicion is that you're displaying publically available content, so it isn't as big of an issue as you might think.

My first reaction is that you're just viewing directories using an FTP browser built into the phone. I've never heard of IMAP showing anything other than email.

If indeed you're viewing directories via FTP, then you have logged in as a user and will be able to view any files or directories owned by that user or in that user's group.

Also, FTP users that are not change-rooted (chrooted: locked into just browsing their own FTP directories), can browse and view any files allowed by the Unix permissions. This isn't a security flaw. Just simply make sure your Unix file and directory permissions are set to what they should be and each user will only be able to do what is allowed by those permissions. If you aren't comfortable with someone seeing file lists in directories they don't own, then chroot that user's FTP account.

Is there a way that you can take a picture of what you're seeing on your iPhone and post that file or email it to support for us to see? You'd have take the picture using a separate device, of course, unless the iPhone supports taking screenshots of what is on its screen. We're interested in helping you get to the bottom of this, but it isn't a problem we've ever seen before, nor do we have an iPhone to be able to duplicate the problem.


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
fabrizio
Posted: Sep 1 2007, 06:31 AM
Quote Post





Group: Members
Posts: 156
Member No.: 19
Joined: 16-July 02



Thank you Andy for your reply and sorry fro my delay.

Well, actually that's a IMAP issue not FTP, I have the same problem with Mail program on Mac OS X. If you wish I can send you a screen shot of what the program is showing: all the content of my directory (!!!). I know, sounds very strange but that's it!

Thank you again.

Fabrizio


--------------------
-----------------------------------------
Fabrizio Ferrari - 'Violinist, contemporary and computer music composer'
E-MAIL: fabrizio@virtualsheetmusic.com
http://www.musicianspage.com
http://www.virtualsheetmusic.com
PMUsers Website
Top
andy
Posted: Sep 1 2007, 10:53 PM
Quote Post





Group: Advantagecom Staff
Posts: 4,140
Member No.: 9
Joined: 12-July 02



Please email support@advantagecom.net with the screenshot of the OS X mail program showing the problem.

They'll help you track down the problem. I'll be working on some other deadlines and will be unable to assist at this time.


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
fabrizio
Posted: Sep 5 2007, 07:08 AM
Quote Post





Group: Members
Posts: 156
Member No.: 19
Joined: 16-July 02



Thank you Andy, I will do that.

Best,
Fabrizio


--------------------
-----------------------------------------
Fabrizio Ferrari - 'Violinist, contemporary and computer music composer'
E-MAIL: fabrizio@virtualsheetmusic.com
http://www.musicianspage.com
http://www.virtualsheetmusic.com
PMUsers Website
Top
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll