[RCD] /bin utilities

till till at php.net
Wed Dec 10 13:43:37 CET 2008


On Tue, Dec 9, 2008 at 8:40 PM, Kris Steinhoff <steinhof at umich.edu> wrote:
> While it is still unclear whether or not there is a problem with
> bin/html2text.php (http://trac.roundcube.net/ticket/1485618), maybe it's worth
> considering adding session checking to all of the utilities in the bin
> directory. If a vulnerability exists in a utility, then having a session check
> will limit or complicate its exploitation.
>
> The way quotaimg.php was doing session checking could be used in the other
> utilities. (quotaimg.php's session checking was removed in October:
> http://trac.roundcube.net/changeset/2012).

Wow, thanks for pointing that out.

@Thomas: Can we roll back in there? The reason the code is in there is
that otherwise people can "execute" quotaimg.php without being logged
in. I know that a log is not the ultimate security measure (malicious
user logged in ;-), but it is worse without.

Reason why I include it is, there are scripts in the wild that run DoS
attacks on servers by requesting the quota functions thus rending
images (again, and again, and again) and in the end creating a lot of
load on the server which can lead to a crash.

Till
_______________________________________________
List info: http://lists.roundcube.net/dev/



More information about the Dev mailing list