||Home : Advisories : The PostACI webmail vulnerability|
||The PostACI webmail vulnerability
||Michael R. Rudel
||1st December 2000
The PostACI webmail system contains a rather trival vulnerability. One can
obtain the hostname, username and password variables for the MySQL server
(in addition to other setup information) if PostACI is setup as described
running out of the box by simplying going to the url:
So, if webmail.com was running PostACI:
Well, you ask, what can I do to fix this?
There are a few different ways. You could just modify the source tree to
make /includes a different directory that only you know. Or, you could do
it the right way and use a .htaccess file to only allow localhost to
access anything in the includes directory.
MySQL database passwords are something that need to be more closely
guarded, and this isn't the first application like this I've seen that
does something like this.
In addition to properly guarding your passwords, you should only let
certain hostnames connect to MySQL, and should have several layers of
protection, such as at least one firewall, and then MySQL's built in host
-- Michael R. Rudel
-- Technician / Security Advisor
-- Pinckney Community Schools =-= http://www.pcs.k12.mi.us