[RCD] /bin utilities

James E. Blair jeblair at berkeley.edu
Tue Dec 23 21:20:53 CET 2008

Kris Steinhoff wrote:
> The scripts in the bin directory may be slightly more vulnerable to denial of 
> service attacks. But I'm more worried about the potential for bugs in those 
> scripts (or stuff they call) that could be a vector for more serious attacks.
> Usage of those scripts should be limited to users know to RoundCube.
> If the added weight of creating the $RCMAIL instance is a concern, then perhaps 
> we could use a different (lighter) approach to verifying that the user running 
> the script is a valid RoundCube user.
> -kris

I strongly agree with Kris that it is preferable to spend a few more CPU 
cycles if it reduces the exposure of our systems to attack.  Since we've 
recently found two of the three web scripts in that directory to be 
vulnerable, I find the trade-off to be very compelling.

I've created a ticket with a patch for this.



List info: http://lists.roundcube.net/dev/

More information about the Dev mailing list