On Tue, 2006-06-20 at 09:51 +0200, Paul J Stevens wrote:
>
> Geo Carncross wrote:
> > SQL injection is only one kind of attack- if DBMail can be controlled by
> > other means, a user (perhaps: an anonymous one) might have access to
> > _all_ mail, and might have access to damage all mail.
>
> Amen. Like how many users have their dbmail.conf world-readable? Perhaps
> dbmail should simply refuse to operate if dbmail.conf is opened up too wide.
Just beware: ACLs are starting to show up in unixes, so sb.st_mode&04
might not cut it...
Of course, anyone who explicitly puts ACLs on a dbmail.conf file gets
what they deserve.
We should also check the directory dbmail.conf is in to make sure that:
neither dir nor file are writable by group or other
file isn't readable by group or other
Of course, this restriction wouldn't be necessary in the following
situations:
* SQLite
* SQL server handles login :)
--
Internet Connection High Quality Web Hosting
http://www.internetconnection.net/
