Re: PostACI Webmail Vulnerability

[Stanislav Grozev <tacho () ORBITEL BG>]

On Thu, Nov 30, 2000 at 09:25:42PM -0500, Michael R. Rudel wrote:
<SNIP> 
> So, if webmail.com was running PostACI:
>
> http://<host.running.postaci.com>/includes/global.inc
>
> Well, you ask, what can I do to fix this?
>
> There are a few different ways. You could just modify the source tree to
> make /includes a different directory that only you know. Or, you could do
> it the right way and use a .htaccess file to only allow localhost to
> access anything in the includes directory.

or you can do the rightest thing and move the include's outside the
web server document tree, and modify the source code accordingly.
moving it to a directory that only know, but still inside the
www document tree is false sense of security, a primer of security through
obscurity.

-tacho

-- 
   [i don't follow] | [http://daemonz.org/ || tacho () daemonz org]
   [everything should be made as simple as possible, but no simpler]
   0x44FC3339 || [02B5 798B 4BD1 97FB F8DB 72E4 DCA4 BE03 44FC 3339]

Attachment: _bin
Description: