possible security issue deleting maildir .. plugin module [ mail_plugin.inc.php ]
On the plugin module mail_plugin.inc.php there are three functions 'user_insert', 'user_update' and 'user_delete' in which there are .. exec("su -c 'rm -rf ..
Only on the 'user_delete' function there is a deeper control on the folder before removing (line 189): if(!stristr($old_maildir_path,'..') && !stristr($old_maildir_path,'*') && strlen($old_maildir_path) >= 10)
So ..
- this check should be done also on the other two functions
- the check is not '//' proof. Consider that if you set on db a maildir folder to "//////////////////////////////" string .. on the first user delete all the system will be erased.
I hit this issue because i'm developing a little script/plugin (based on your code) to import users from a firebird db server into ISPConfig3. Fortunatly i'm on a testing environment :-) .. in one case the maildir was passed empty and the resulting path was [ /var/vmail// ] .. so it exists, has no '..', has no '*' and is more than 10 char len .. All my /var/vmail folder has gone! :-((
Fortunately my developing was on /usr/local folder .. but my prefilter plugin i was working too (implementing domain interexchange policies and a more readable mail log) was in /var/vmail/prefilter .. and is completely lost (previous backup on 20 agoust .. was a alpha version). It's MY problem .. i know :-))
I think you should add (at least) a [ !stristr($old_maildir_path,'//') ].
P.S. Anyway .. i'm "seeing" you work.. i love it! :-)
Bye..
bajodel.