Hi. I'm running ISPconfig on Debian sarge with the perfect setup. I have experienced strange problems with uebimiau which I installed using the ISPconfig tools button. Visiting the official website creates the impression that the uebimiau web mailer is not actively supported anymore. So please bear with me when I ask these questions here. Uebimiau works fine on the inbox - but when clicking on some othre directories - Trash for example, you are automatically logged out. When you have the "empty trash folder when you logout" option enabled the browser gets stuck in an infinite loop spiting out php error messages eventually crashing the machine where the browser is running. I have traced the error to an empty file handle passed to a fgets function. Second question - according to http://pridels.blogspot.com/2006/06/uebimiau-webmail-xss-vuln.html the latest version of uebimiau is insecure. Does any one know if this holds true or has the version shipping with ISPconfig been fixed ? kind regards, Eugene Coetzee
I think it's still under development. They don't release new versions very often, but that doesn't mean the project is dead. Any errors in the error log in /root/ispconfig/httpd/logs? In which file? Have you been able to find out why the file handle is empty? The ISPConfig Uebimiau package is the standard Uebimiaul package with a patched login procedure, so it contains all bugs that the official Uebimiau package has.
Nothing It is on line 25 of class.uebimiau_mail.php I don't know why the handle is empty - there doesn't seem to be a problem with file permissions. What bothers me is that there are not any test done to check for a valid handle and together with the other kind of vulnerabilities mentioned I don't have confidence in this software. I think we are going to opt for RoundCube instead. I deleted the relevant Uebimiaul directories and used the install tool to install RoundCube. How can i get rid of the webmail entry in the ISPconfig interface panel ? Although it is said that RoundCube only supports IMAP it appears to be doing fine with POP3 - except if I'm missing something somewhere. regards, Eugene Coetzee
