Kris Steinhoff wrote: > The scripts in the bin directory may be slightly more vulnerable to denial of > service attacks. But I'm more worried about the potential for bugs in those > scripts (or stuff they call) that could be a vector for more serious attacks. > > Usage of those scripts should be limited to users know to RoundCube. > > If the added weight of creating the $RCMAIL instance is a concern, then > perhaps > we could use a different (lighter) approach to verifying that the user > running > the script is a valid RoundCube user. > > -kris
I strongly agree with Kris that it is preferable to spend a few more CPU cycles if it reduces the exposure of our systems to attack. Since we've recently found two of the three web scripts in that directory to be vulnerable, I find the trade-off to be very compelling. I've created a ticket with a patch for this. http://trac.roundcube.net/ticket/1485645 -Jim _______________________________________________ List info: http://lists.roundcube.net/dev/
