[17909] in bugtraq
Re: PostACI Webmail Vulnerability
daemon@ATHENA.MIT.EDU (Stanislav Grozev)
Mon Dec 4 14:43:37 2000
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe"
Content-Disposition: inline
Message-Id: <20001202104058.A1600@thing.orbitel.bg>
Date: Sat, 2 Dec 2000 10:40:58 +0200
Reply-To: Stanislav Grozev <tacho@ORBITEL.BG>
From: Stanislav Grozev <tacho@ORBITEL.BG>
X-To: "Michael R. Rudel" <mrr@BRIG.PCS.K12.MI.US>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.4.21.0011302119280.22520-100000@brig.pcs.k12.mi.us>;
from mrr@BRIG.PCS.K12.MI.US on Thu, Nov 30,
2000 at 09:25:42PM -0500
--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Nov 30, 2000 at 09:25:42PM -0500, Michael R. Rudel wrote:
<SNIP>=20
> So, if webmail.com was running PostACI:
>=20
> http://<host.running.postaci.com>/includes/global.inc
>=20
> Well, you ask, what can I do to fix this?
>=20
> There are a few different ways. You could just modify the source tree to
> make /includes a different directory that only you know. Or, you could do
> it the right way and use a .htaccess file to only allow localhost to
> access anything in the includes directory.
>=20
or you can do the rightest thing and move the include's outside the
web server document tree, and modify the source code accordingly.
moving it to a directory that only know, but still inside the
www document tree is false sense of security, a primer of security through
obscurity.
-tacho
--=20
[i don't follow] | [http://daemonz.org/ || tacho@daemonz.org]
[everything should be made as simple as possible, but no simpler]
0x44FC3339 || [02B5 798B 4BD1 97FB F8DB 72E4 DCA4 BE03 44FC 3339]
--G4iJoqBmSsgzjUCe
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6KLWa3KS+A0T8MzkRAtKRAKCSD/iUZoL+tkOenwM7P9+6WxueHACeIw6w
Gi98bMvY4Jlm0Ib8ROTWFCo=
=ALQ/
-----END PGP SIGNATURE-----
--G4iJoqBmSsgzjUCe--
