[horde] Two questions: menu.php and test.php
Kevin M. Myer
kevin_myer at iu13.org
Tue Jul 15 05:13:34 PDT 2003
Hello,
I am running Horde 2.2.3 with IMP 3.2.1 and Turba 1.2. I have Apache configured
so that horde doesn't appear in the URL (i.e DocumentRoot /path/to/horde, Alias
/path/to/horde /horde) and I have the webroot set properly to ''. I am using
IMP for authentication as well. My problem is that before I even login,
menu.php is being displayed with the icons of the installed modules and the log
out button. This is causing some confusion with users who are trying to click
on the icons prior to login. And while I don't believe in security through
obscurity, I do believe in giving away as little information as possible about
whats installed on a system - this has the effect of advertising all the
installed applications to the world, without anyone having to log in.
I've tried to mitigate this in several ways. First, I double-checked my
settings to make sure that they are correct and I'm pretty certain that they
are (or at least I'm consistently wrong in making the changes, since this shows
up on several Horde installs I've done this way). Secondly, I tried adding an
Auth:getAuth() check, first in menu.php and secondly in one of the include
files that is used to build the menu. My idea was that if you're not
authenticated, don't show the menu. If you are, show the menu. I was sort of
able to make this work but not perfectly - before login, all I got was a white
rectangle where the menu would be (which is to be expected, since nothing is
being rendered there) and after login, if I refreshed, then I got my menu. So
my question is this: is there an easy way to make the menu disappear before a
user is authenticated or do I have something misconfigured?
Second issue relates to the various test.php files that are included with the
various components. While there are strong warnings in the documentation to
remove or otherwise disable access to these files after you're done using them,
I'd much prefer to see a "secure-by-default" approach taken, where access is
denied, either via an .htaccess file or via a check to see if a user is
authenticated. While this argueably makes it more difficult to troubleshoot
initial install problems (i.e. if you're having trouble logging in), it
prevents a load of information from being available, by default, to
unscrupulous individuals who might prey on those who forget to disable the
files. Its really an issue of administration - don't put test systems on the
Internet until they're hardened - but we all know that it happens anyway and if
something can be done to make things a little more secure, I think that would
be great.
Kevin
--
Kevin M. Myer
Systems Administrator
Lancaster-Lebanon Intermediate Unit 13
(717) 560-6140
More information about the horde
mailing list