Date: Sat, 2 Dec 2000 10:40:58 +0200 From: Stanislav Grozev <tacho@ORBITEL.BG> Subject: Re: PostACI Webmail Vulnerability To: BUGTRAQ@SECURITYFOCUS.COM --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Nov 30, 2000 at 09:25:42PM -0500, Michael R. Rudel wrote: <SNIP> > So, if webmail.com was running PostACI: > > http://<host.running.postaci.com>/includes/global.inc > > Well, you ask, what can I do to fix this? > > There are a few different ways. You could just modify the source tree to > make /includes a different directory that only you know. Or, you could do > it the right way and use a .htaccess file to only allow localhost to > access anything in the includes directory. > or you can do the rightest thing and move the include's outside the web server document tree, and modify the source code accordingly. moving it to a directory that only know, but still inside the www document tree is false sense of security, a primer of security through obscurity. -tacho -- [i don't follow] | [http://daemonz.org/ || tacho@daemonz.org] [everything should be made as simple as possible, but no simpler] 0x44FC3339 || [02B5 798B 4BD1 97FB F8DB 72E4 DCA4 BE03 44FC 3339] --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6KLWa3KS+A0T8MzkRAtKRAKCSD/iUZoL+tkOenwM7P9+6WxueHACeIw6w Gi98bMvY4Jlm0Ib8ROTWFCo=ALQ/ -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe--