Bugtraq mailing list archives
Re: PostACI Webmail Vulnerability
From: Stanislav Grozev <tacho () ORBITEL BG>
Date: Sat, 2 Dec 2000 10:40:58 +0200
On Thu, Nov 30, 2000 at 09:25:42PM -0500, Michael R. Rudel wrote: <SNIP>
So, if webmail.com was running PostACI: http://<host.running.postaci.com>/includes/global.inc Well, you ask, what can I do to fix this? There are a few different ways. You could just modify the source tree to make /includes a different directory that only you know. Or, you could do it the right way and use a .htaccess file to only allow localhost to access anything in the includes directory.
or you can do the rightest thing and move the include's outside the web server document tree, and modify the source code accordingly. moving it to a directory that only know, but still inside the www document tree is false sense of security, a primer of security through obscurity. -tacho -- [i don't follow] | [http://daemonz.org/ || tacho () daemonz org] [everything should be made as simple as possible, but no simpler] 0x44FC3339 || [02B5 798B 4BD1 97FB F8DB 72E4 DCA4 BE03 44FC 3339]
Attachment:
_bin
Description:
Current thread:
- PostACI Webmail Vulnerability Michael R. Rudel (Dec 02)
- Re: PostACI Webmail Vulnerability Stanislav Grozev (Dec 05)