[LWN Logo]
[Timeline]
Date:         Sat, 2 Dec 2000 10:40:58 +0200
From: Stanislav Grozev <tacho@ORBITEL.BG>
Subject:      Re: PostACI Webmail Vulnerability
To: BUGTRAQ@SECURITYFOCUS.COM

--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Nov 30, 2000 at 09:25:42PM -0500, Michael R. Rudel wrote:
<SNIP> 
> So, if webmail.com was running PostACI:
> 
> http://<host.running.postaci.com>/includes/global.inc
> 
> Well, you ask, what can I do to fix this?
> 
> There are a few different ways. You could just modify the source tree to
> make /includes a different directory that only you know. Or, you could do
> it the right way and use a .htaccess file to only allow localhost to
> access anything in the includes directory.
> 

or you can do the rightest thing and move the include's outside the
web server document tree, and modify the source code accordingly.
moving it to a directory that only know, but still inside the
www document tree is false sense of security, a primer of security through
obscurity.

-tacho

-- 
   [i don't follow] | [http://daemonz.org/ || tacho@daemonz.org]
   [everything should be made as simple as possible, but no simpler]
   0x44FC3339 || [02B5 798B 4BD1 97FB F8DB 72E4 DCA4 BE03 44FC 3339]

--G4iJoqBmSsgzjUCe
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6KLWa3KS+A0T8MzkRAtKRAKCSD/iUZoL+tkOenwM7P9+6WxueHACeIw6w
Gi98bMvY4Jlm0Ib8ROTWFCo=ALQ/
-----END PGP SIGNATURE-----

--G4iJoqBmSsgzjUCe--