[horde] Two questions: menu.php and test.php

Kevin M. Myer kevin_myer at iu13.org
Mon Jul 28 12:26:29 PDT 2003 

The issue I have is not whether or not the files exist or are executable but the
fact that they are  distributed that way, which leads to a
free-information-disclosure-by-default install.  A simple, low-tech solution is
to distribute the test.php files the same way as the config files, ending in
.dist (i.e. test.php.dist).

If I enable the test.php.dist file by renaming it, the onus is on me to disable
it.  If I don't enable it, it divulges nothing.  As long as test.php exists in
some form, can't prevent a Horde system from divulging info but at least a
.dist by default requires user intervention to see it.  The only changes I see
necessary to accomodate this are documentation related (and of course renaming
test.php to test.php.dist).

Kevin

> Quoting Chuck Hagenbuch <chuck at horde.org>:
>
> > Quoting "Kevin M. Myer" <kevin_myer at iu13.org>:
> >
> > > Second issue relates to the various test.php files that are included with
> > the
> > > various components.  While there are strong warnings in the documentation
> > to
> > > remove or otherwise disable access to these files after you're done using
> > > them, I'd much prefer to see a "secure-by-default" approach taken, where
> > >
> > Any workable suggestions for how to do this would be welcome.
> Authentication
> > isn't one of them, I don't think...
>
> One silly idea is to have it check at the time of an admin login and report
> if the test files are executable, giving some kind of warning to the admin
> that they should disable them if they no longer need them...
>
> But this would only work in HEAD where we have an admin login...  Not sure
> how you could do something similar in RELENG.
>
> > -chuck
>
> --
> Eric Rostetter
> The Department of Physics
> The University of Texas at Austin
>
> Why get even? Get odd!
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>
>
> ----- End message from eric.rostetter at physics.utexas.edu -----



--
Kevin M. Myer
Systems Administrator
Lancaster-Lebanon Intermediate Unit 13
(717) 560-6140

More information about the horde mailing list