[dev] Re: [cvs] commit: passwd/config .cvsignore backends.php.dist conf.xml passwd/lib Driver.php Passwd.php base.php passwd/lib/Driver ldap.php sql.php passwd/templates/main main.inc passwd main.php

[Mike Cochrane]

> ----- Message from eric.rostetter@physics.utexas.edu ---------
> Quoting Mike Cochrane <mike@graftonhall.co.nz>:
> 
> > > And, as a side effect, a module much easier to exploit by hackers to hack
> > > passwords...
> >
> > I'm not sure what you mean by this one... You still need to know the
> current
> > password so this is the same as any other login.
> 
> Purely hypothetical discussion...
>
> Until you set passwd to guest.  Now they can find it via google (since I
> didn't exclude it in my robots.txt file, etc).  Thay can access directly
> this page and start guessing username/password combinations.  Since most
> poppassd servers don't treat security as seriously as normal login
> proccesses, they probably have a much better chance of getting in via
> poppassd
> than they would via telnet/ssh/etc.  In fact, they probably have a better
> chance this way than via the Horde login page.  (Since the poppassd server
> probably isn't pam aware, doesn't care about how many times you try, etc).
> Plus you've bypassed things like tcp_wrappers, firewalls, etc. that might
> normally be in place to help with telnet/ssh/poppassd/etc.

Ahh... I get you... brute force via Passwd....  I have reverted this allready
anyway. 

Thanks

- Mike :-)