[dev] Re: [cvs] commit: passwd/config .cvsignore
backends.php.dist conf.xml passwd/lib Driver.php Passwd.php base.php
passwd/lib/Driver ldap.php sql.php passwd/templates/main main.inc passwd
main.php
Eric Rostetter
eric.rostetter@physics.utexas.edu
Sun Oct 13 18:44:33 PDT 2002
Quoting Harry Hoffman <hhoffman@ip-solutions.net>:
> Essentially this is no different from any server that provides a login
> service for any network application. POP, IMAP, SSH, etc.
This isn't true. You've missed my points from my previous posting.
Poppassd will routinely ignore security checks which services like pop, imap,
ftp, ssh, etc. will honor. But that isn't even the real issue. The point
is, you don't need to have any such services exposed...
Plus giving it via a guest service to Horde (which generally won't have
any tcp_wrapper/firewall protection) allows you to bypass any restrictions
you put on poppassd (networks listening, tcp_wrapper, firewalls, plain
passwords over the wire, etc).
So you may be decreasing the security by doing this.
Then there is the issue of indexing search engines, etc. Much eaier to find
web sites than imap servers using google.
> can all be exploited by first
> brute forcing the password than changing it.
You assume these services are open to be attacked. The only thing that needs
to be open in a Horde setup is the Horde webpage. You don't need to allow
access to the pop/imap/smtp/poppassd/ssh/etc. services from the outside.
So making this guest moves you from one exploit point to two...
> The only difference is that the
> "hacker" is more likely to be noticed upon changing the password. It's no
> more a security risk than any of these other types of services.
You are making the false assumption that the other services are even available.
I'm not saying this is a big issue. It is a small issue. But security, and
security reputations, are in the small details. (Which is why I'm thinking
of creating a real "Horde Security" doc soon, to help people who want to make
their Horde and Horde Apps installs as secure as possible)
> Thanks,
> Harry
--
Eric Rostetter
The Department of Physics
The University of Texas at Austin
Why get even? Get odd!
More information about the dev
mailing list