[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : The PostACI webmail vulnerability

Title: The PostACI webmail vulnerability
Released by: Michael R. Rudel
Date: 1st December 2000
Printable version: Click here
The PostACI webmail system contains a rather trival vulnerability. One can

obtain the hostname, username and password variables for the MySQL server

(in addition to other setup information) if PostACI is setup as described

running out of the box by simplying going to the url:


So, if webmail.com was running PostACI:


Well, you ask, what can I do to fix this?

There are a few different ways. You could just modify the source tree to

make /includes a different directory that only you know. Or, you could do

it the right way and use a .htaccess file to only allow localhost to

access anything in the includes directory.

MySQL database passwords are something that need to be more closely

guarded, and this isn't the first application like this I've seen that

does something like this.

In addition to properly guarding your passwords, you should only let

certain hostnames connect to MySQL, and should have several layers of

protection, such as at least one firewall, and then MySQL's built in host


-- Michael R. Rudel

-- Technician / Security Advisor

-- Pinckney Community Schools =-= http://www.pcs.k12.mi.us

(C) 1999-2000 All rights reserved.