Advisories : The PostACI webmail vulnerability

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : The PostACI webmail vulnerability

Title:	The PostACI webmail vulnerability
Released by:	Michael R. Rudel
Date:	1st December 2000
Printable version:	Click here

The PostACI webmail system contains a rather trival vulnerability. One can

obtain the hostname, username and password variables for the MySQL server

(in addition to other setup information) if PostACI is setup as described

running out of the box by simplying going to the url:



http:///includes/global.inc



So, if webmail.com was running PostACI:



http:///includes/global.inc







Well, you ask, what can I do to fix this?



There are a few different ways. You could just modify the source tree to

make /includes a different directory that only you know. Or, you could do

it the right way and use a .htaccess file to only allow localhost to

access anything in the includes directory.



MySQL database passwords are something that need to be more closely

guarded, and this isn't the first application like this I've seen that

does something like this.





In addition to properly guarding your passwords, you should only let

certain hostnames connect to MySQL, and should have several layers of

protection, such as at least one firewall, and then MySQL's built in host

protection.





-- Michael R. Rudel

-- Technician / Security Advisor

-- Pinckney Community Schools =-= http://www.pcs.k12.mi.us