Date: Thu, 30 Nov 2000 21:25:42 -0500 From: "Michael R. Rudel" <mrr@BRIG.PCS.K12.MI.US> Subject: PostACI Webmail Vulnerability To: BUGTRAQ@SECURITYFOCUS.COM The PostACI webmail system contains a rather trival vulnerability. One can obtain the hostname, username and password variables for the MySQL server (in addition to other setup information) if PostACI is setup as described running out of the box by simplying going to the url: http://<host.running.postaci.com>/includes/global.inc So, if webmail.com was running PostACI: http://<host.running.postaci.com>/includes/global.inc Well, you ask, what can I do to fix this? There are a few different ways. You could just modify the source tree to make /includes a different directory that only you know. Or, you could do it the right way and use a .htaccess file to only allow localhost to access anything in the includes directory. MySQL database passwords are something that need to be more closely guarded, and this isn't the first application like this I've seen that does something like this. In addition to properly guarding your passwords, you should only let certain hostnames connect to MySQL, and should have several layers of protection, such as at least one firewall, and then MySQL's built in host protection. -- Michael R. Rudel -- Technician / Security Advisor -- Pinckney Community Schools =-= http://www.pcs.k12.mi.us