[imp] Still security issue with attachments?

Harald Wilhelmi harald.wilhelmi@tngtech.com
Wed, 17 Jul 2002 10:32:49 +0200

Previous message: [imp] Still security issue with attachments?
Next message: [imp] Re: setTextdomain bug in imp/prefs.php
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

On Tue, Jul 16, 2002 at 04:18:38PM -0400, Chuck Hagenbuch wrote:
> It's theoretically possible to modify the form to read other files 
> accessible to the webserver user in your temp directory, but if you look at 
> the tempFilePath() and addMimeParts() functions, you'll see that it's 
> impossible to get out of that dir.

You are 100% right. I missed that tempFilePath() function. However in the
default configuration that still exposed /tmp on my system. I changed
$conf['tmpdir'] in horde/config/horde.php to move the files to a
special directory. This seems secure enough for me.

Thank you very much
Harald Wilhelmi

-- 

------------------------------------------------------------------
Harald Wilhelmi	
Partner	
EMail: harald.wilhelmi@tngtech.com    *     Phone: +49(89)21589960
TNG Technology Consulting GmbH * Betastr. 9A * 85774 Unterfoehring

Previous message: [imp] Still security issue with attachments?
Next message: [imp] Re: setTextdomain bug in imp/prefs.php
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]