[imp] Vulnerabilities in IMP/PHP

[Chuck Hagenbuch]

Quoting Bjørn Ove Grøtan <bjorn.grotan@itea.ntnu.no>:

> Hmm - if you say so. My eyes didn't read so on Friday but.

But what? If you've found a bug in our code, _send a patch_. Don't claim 
that you _think_ it does something it doesn't.

> Wouldn't you get a more reliable key if using the client hostname rather
> than the webserver hostname? A session-file may live quite long if one
> does not have automatic delete on old files in the chosen folder.

This is an option, but it's nearly as guessable, especially for people with 
a proxy server (AOL); furthermore, it would make life hell for people on 
dynamic DHCP connections; they get a new IP, boom, their password is wrong.

> experienced with securing webservers, it would be a good idea (in my
> opinion at least) to give some clues on how to secure it. A small paper
> on how to run a secure is by far better than having to browse through
> some slides that may or may not have a few qew-words on security-issues

Then WRITE IT, and write it to _help_ people. Scared people don't run more 
secured servers; informed people do. Don't spout warnings of doom and gloom 
that are half-baked and ignorant.

-chuck

--
Charles Hagenbuch, <chuck@horde.org>
"After a few minutes the most aromatic and nice smelling Italian coffee 
 will come out of the exhaustpipe." - Our stove-top espresso pot