thank you for your replay!
what we are doing now is rewrite with apache.
==============================================
RewriteCond %{QUERY_STRING} !modu=([^\.&]+)$
==============================================
patch file for qmailadmin u make, we realy wanna verify that too.
let us know if u are ready for that.
Thanks.
On Wed, 2 Aug 2006 08:27:23 -0700
Tom Collins <[EMAIL PROTECTED]> wrote:
> On Aug 1, 2006, at 7:14 PM, [EMAIL PROTECTED] wrote:
> > 3. after that u will got the address like this on the address bar on
> > your browser.
> > =================================================
> > http://sample.co.jp/cgi-bin/qmailadmin/com/delmailinglistnow?
> > user=postmaster&dom=sample.co.jp&time=1154482055&
> >
> > 4.k! now the main point. ENTER the URL.
> > =================================================
> > 10.10.10.30 - - [02/Aug/2006:10:29:45 +0900] "GET /cgi-bin/
> > qmailadmin/com/delmailinglistnow?
> > user=postmaster&dom=sample.co.jp&time=1154482055& HTTP/1.1" 200
> > 8058 "-" "Mozillla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
> > SV1; .NET CLR 1.1.4322)"
> >
> >
> > 5. and look under then domain directory.
> > ALL DIRECTORY HAS BEEN DELETED...vpasswd and etc,, everything gone...
>
> Confirmed. If you edit the URL to remove the "modu" parameter, it
> will delete the entire domain directory.
>
> I'll add a patch to have qmailadmin ensure that "modu" is an actual
> mailing list before going through with the delete. I imagine that
> there are other instances where modifying the URL would result in
> things you don't want. I'm not sure I'd call this a bug, but it
> would certainly be a good idea to modify the code to validate the
> input better.
>
> --
> Tom Collins - [EMAIL PROTECTED]
> Vpopmail - virtual domains for qmail: http://vpopmail.sf.net/
> QmailAdmin - web interface for Vpopmail: http://qmailadmin.sf.net/
