ID CVE-2007-2231
Summary Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
References
Vulnerable Configurations
  • cpe:2.3:a:dovecot:dovecot:1.0.beta1
    cpe:2.3:a:dovecot:dovecot:1.0.beta1
  • cpe:2.3:a:dovecot:dovecot:1.0.beta2
    cpe:2.3:a:dovecot:dovecot:1.0.beta2
  • cpe:2.3:a:dovecot:dovecot:1.0.beta3
    cpe:2.3:a:dovecot:dovecot:1.0.beta3
  • cpe:2.3:a:dovecot:dovecot:1.0.beta4
    cpe:2.3:a:dovecot:dovecot:1.0.beta4
  • cpe:2.3:a:dovecot:dovecot:1.0.beta5
    cpe:2.3:a:dovecot:dovecot:1.0.beta5
  • cpe:2.3:a:dovecot:dovecot:1.0.beta6
    cpe:2.3:a:dovecot:dovecot:1.0.beta6
  • cpe:2.3:a:dovecot:dovecot:1.0.beta7
    cpe:2.3:a:dovecot:dovecot:1.0.beta7
  • cpe:2.3:a:dovecot:dovecot:1.0.beta8
    cpe:2.3:a:dovecot:dovecot:1.0.beta8
  • cpe:2.3:a:dovecot:dovecot:1.0.beta9
    cpe:2.3:a:dovecot:dovecot:1.0.beta9
  • cpe:2.3:a:dovecot:dovecot:1.0.rc1
    cpe:2.3:a:dovecot:dovecot:1.0.rc1
  • cpe:2.3:a:dovecot:dovecot:1.0.rc2
    cpe:2.3:a:dovecot:dovecot:1.0.rc2
  • cpe:2.3:a:dovecot:dovecot:1.0.rc3
    cpe:2.3:a:dovecot:dovecot:1.0.rc3
  • cpe:2.3:a:dovecot:dovecot:1.0.rc4
    cpe:2.3:a:dovecot:dovecot:1.0.rc4
  • cpe:2.3:a:dovecot:dovecot:1.0.rc5
    cpe:2.3:a:dovecot:dovecot:1.0.rc5
  • cpe:2.3:a:dovecot:dovecot:1.0.rc6
    cpe:2.3:a:dovecot:dovecot:1.0.rc6
  • cpe:2.3:a:dovecot:dovecot:1.0.rc7
    cpe:2.3:a:dovecot:dovecot:1.0.rc7
  • cpe:2.3:a:dovecot:dovecot:1.0.rc8
    cpe:2.3:a:dovecot:dovecot:1.0.rc8
  • cpe:2.3:a:dovecot:dovecot:1.0.rc9
    cpe:2.3:a:dovecot:dovecot:1.0.rc9
  • cpe:2.3:a:dovecot:dovecot:1.0.rc10
    cpe:2.3:a:dovecot:dovecot:1.0.rc10
  • cpe:2.3:a:dovecot:dovecot:1.0.rc11
    cpe:2.3:a:dovecot:dovecot:1.0.rc11
  • cpe:2.3:a:dovecot:dovecot:1.0.rc12
    cpe:2.3:a:dovecot:dovecot:1.0.rc12
  • cpe:2.3:a:dovecot:dovecot:1.0.rc13
    cpe:2.3:a:dovecot:dovecot:1.0.rc13
  • cpe:2.3:a:dovecot:dovecot:1.0.rc14
    cpe:2.3:a:dovecot:dovecot:1.0.rc14
  • cpe:2.3:a:dovecot:dovecot:1.0.rc15
    cpe:2.3:a:dovecot:dovecot:1.0.rc15
  • cpe:2.3:a:dovecot:dovecot:1.0.rc16
    cpe:2.3:a:dovecot:dovecot:1.0.rc16
  • cpe:2.3:a:dovecot:dovecot:1.0.rc17
    cpe:2.3:a:dovecot:dovecot:1.0.rc17
  • cpe:2.3:a:dovecot:dovecot:1.0.rc18
    cpe:2.3:a:dovecot:dovecot:1.0.rc18
  • cpe:2.3:a:dovecot:dovecot:1.0.rc19
    cpe:2.3:a:dovecot:dovecot:1.0.rc19
  • cpe:2.3:a:dovecot:dovecot:1.0.rc20
    cpe:2.3:a:dovecot:dovecot:1.0.rc20
  • cpe:2.3:a:dovecot:dovecot:1.0.rc21
    cpe:2.3:a:dovecot:dovecot:1.0.rc21
  • cpe:2.3:a:dovecot:dovecot:1.0.rc22
    cpe:2.3:a:dovecot:dovecot:1.0.rc22
  • cpe:2.3:a:dovecot:dovecot:1.0.rc23
    cpe:2.3:a:dovecot:dovecot:1.0.rc23
  • cpe:2.3:a:dovecot:dovecot:1.0.rc24
    cpe:2.3:a:dovecot:dovecot:1.0.rc24
  • cpe:2.3:a:dovecot:dovecot:1.0.rc25
    cpe:2.3:a:dovecot:dovecot:1.0.rc25
  • cpe:2.3:a:dovecot:dovecot:1.0.rc26
    cpe:2.3:a:dovecot:dovecot:1.0.rc26
  • cpe:2.3:a:dovecot:dovecot:1.0.rc27
    cpe:2.3:a:dovecot:dovecot:1.0.rc27
  • cpe:2.3:a:dovecot:dovecot:1.0.rc28
    cpe:2.3:a:dovecot:dovecot:1.0.rc28
CVSS
Base: 4.3 (as of 26-04-2007 - 08:45)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20080521_DOVECOT_ON_SL5_X.NASL
    description A flaw was discovered in the way Dovecot handled the 'mail_extra_groups' option. An authenticated attacker with local shell access could leverage this flaw to read, modify, or delete other users mail that is stored on the mail server. (CVE-2008-1199) This issue did not affect the default Red Hat Enterprise Linux 5 Dovecot configuration. This update adds two new configuration options -- 'mail_privileged_group' and 'mail_access_groups' -- to minimize the usage of additional privileges. A directory traversal flaw was discovered in Dovecot's zlib plug-in. An authenticated user could use this flaw to view other compressed mailboxes with the permissions of the Dovecot process. (CVE-2007-2231) A flaw was found in the Dovecot ACL plug-in. User with only insert permissions for a mailbox could use the 'COPY' and 'APPEND' commands to set additional message flags. (CVE-2007-4211) A flaw was found in a way Dovecot cached LDAP query results in certain configurations. This could possibly allow authenticated users to log in as a different user who has the same password. (CVE-2007-6598) As well, this updated package fixes the following bugs : - configuring 'userdb' and 'passdb' to use LDAP caused Dovecot to hang. A segmentation fault may have occurred. In this updated package, using an LDAP backend for 'userdb' and 'passdb' no longer causes Dovecot to hang. - the Dovecot 'login_process_size' limit was configured for 32-bit systems. On 64-bit systems, when Dovecot was configured to use either IMAP or POP3, the log in processes crashed with out-of-memory errors. Errors such as the following were logged : pop3-login: pop3-login: error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Cannot allocate memory In this updated package, the 'login_process_size' limit is correctly configured on 64-bit systems, which resolves this issue. Note: this updated package upgrades dovecot to version 1.0.7. For further details, refer to the Dovecot changelog: http://koji.fedoraproject.org/koji/buildinfo?buildID=23397
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60404
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60404
    title Scientific Linux Security Update : dovecot on SL5.x i386/x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-487-1.NASL
    description It was discovered that Dovecot, when configured to use non-system-user spools and compressed folders, would allow directory traversals in mailbox names. Remote authenticated users could potentially read email owned by other users. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28088
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28088
    title Ubuntu 6.06 LTS / 6.10 / 7.04 : dovecot vulnerability (USN-487-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1359.NASL
    description It was discovered that dovecot, a secure mail server that supports mbox and maildir mailboxes, when configured to use non-system-user spools and compressed folders, may allow directory traversal in mailbox names.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25959
    published 2007-09-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25959
    title Debian DSA-1359-1 : dovecot - directory traversal
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0297.NASL
    description An updated dovecot package that fixes several security issues and various bugs is now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team. Dovecot is an IMAP server for Linux and UNIX-like systems, primarily written with security in mind. A flaw was discovered in the way Dovecot handled the 'mail_extra_groups' option. An authenticated attacker with local shell access could leverage this flaw to read, modify, or delete other users mail that is stored on the mail server. (CVE-2008-1199) This issue did not affect the default Red Hat Enterprise Linux 5 Dovecot configuration. This update adds two new configuration options -- 'mail_privileged_group' and 'mail_access_groups' -- to minimize the usage of additional privileges. A directory traversal flaw was discovered in Dovecot's zlib plug-in. An authenticated user could use this flaw to view other compressed mailboxes with the permissions of the Dovecot process. (CVE-2007-2231) A flaw was found in the Dovecot ACL plug-in. User with only insert permissions for a mailbox could use the 'COPY' and 'APPEND' commands to set additional message flags. (CVE-2007-4211) A flaw was found in a way Dovecot cached LDAP query results in certain configurations. This could possibly allow authenticated users to log in as a different user who has the same password. (CVE-2007-6598) As well, this updated package fixes the following bugs : * configuring 'userdb' and 'passdb' to use LDAP caused Dovecot to hang. A segmentation fault may have occurred. In this updated package, using an LDAP backend for 'userdb' and 'passdb' no longer causes Dovecot to hang. * the Dovecot 'login_process_size' limit was configured for 32-bit systems. On 64-bit systems, when Dovecot was configured to use either IMAP or POP3, the log in processes crashed with out-of-memory errors. Errors such as the following were logged : pop3-login: pop3-login: error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Cannot allocate memory In this updated package, the 'login_process_size' limit is correctly configured on 64-bit systems, which resolves this issue. Note: this updated package upgrades dovecot to version 1.0.7. For further details, refer to the Dovecot changelog: http://koji.fedoraproject.org/koji/buildinfo?buildID=23397 Users of dovecot are advised to upgrade to this updated package, which resolves these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 32423
    published 2008-05-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=32423
    title RHEL 5 : dovecot (RHSA-2008:0297)
oval via4
accepted 2013-04-29T04:10:34.145-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
family unix
id oval:org.mitre.oval:def:10995
status accepted
submitted 2010-07-09T03:56:16-04:00
title Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
version 19
redhat via4
advisories
rhsa
id RHSA-2008:0297
rpms dovecot-0:1.0.7-2.el5
refmap via4
bid 23552
bugtraq 20070418 rPSA-2007-0074-1 dovecot
confirm http://dovecot.org/doc/NEWS
debian DSA-1359
mlist
  • [dovecot-cvs] 20070330 dovecot/src/lib-storage/index/mbox mbox-storage.c, 1.145.2.14, 1.145.2.15
  • [dovecot-news] 20070330 Security hole #3: zlib plugin allows opening any gziped mboxes
secunia
  • 25072
  • 30342
suse SUSE-SR:2007:008
ubuntu USN-487-1
vupen ADV-2007-1452
xf dovecot-mboxstorage-directory-traversal(34082)
statements via4
contributor Joshua Bressers
lastmodified 2008-05-21
organization Red Hat
statement This issue did not affect Red Hat Enterprise Linux prior to version 5. An update to Red Hat Enterprise Linux 5 was released to correct this issue: https://rhn.redhat.com/errata/RHSA-2008-0297.html
Last major update 05-11-2012 - 22:37
Published 25-04-2007 - 11:19
Last modified 16-10-2018 - 12:42
Back to Top