Ari Novikoff <[EMAIL PROTECTED]> said:
> Well, AFAICT, file sharing using PHProjekt is fairly secure as well. I do not believe it is. Here is what everyone should consider. No matter what the application tries to implement in security, this is simply smoke and mirrors. If it is a web-based app, that means 'www' owns the file storage area. This is required to permit the web-based app to upload files. This means even if you use SSL, anyone using the web-based app can hack on through and get full access to all files, regardless of what the app attempts to state. The owner of the session is 'www', not any defined logged in user/password. This is why I state security is non-existent because it can be easily broken. Anyone using the app has full rights to all your files and all directory shares it owns. The only web-based file sharing implementation that is secure in any way is one that stores the files in the mySQL database. Unfortunately there are some minor and major obstacles to overcome. Minor is the SME mySQL version is old and has a current limit of 16MB file upload/download sizes. Easily solved by a mySQL upgrade. Second and more troubling is IE >5.5 can not access files in a mySQL database, for upload/download using SSL. Known bug so all IE users must use an insecure connection which defeats the purpose. Now, with this information, if you choose to continue to use a web-based file sharing app, that is your choice. With my KISS solution you at least limit exposure by implementing apache security. Each share is unique. Each share has a defined access list. Yes all users in the list have full rights but at least they only have full rights to the one directory. It is the best I have come up with so far and I have tested 'just' about ever groupware and file sharing app mentioned and even some that I have searched and found. Hope this info helps. Regards, -- Darrell May DMC Netsourced.com http://netsourced.com http://myEZserver.com -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
