[RCD] /bin utilities
James E. Blair
jeblair at berkeley.edu
Tue Dec 23 21:20:53 CET 2008
Kris Steinhoff wrote:
> The scripts in the bin directory may be slightly more vulnerable to denial of
> service attacks. But I'm more worried about the potential for bugs in those
> scripts (or stuff they call) that could be a vector for more serious attacks.
> Usage of those scripts should be limited to users know to RoundCube.
> If the added weight of creating the $RCMAIL instance is a concern, then perhaps
> we could use a different (lighter) approach to verifying that the user running
> the script is a valid RoundCube user.
I strongly agree with Kris that it is preferable to spend a few more CPU
cycles if it reduces the exposure of our systems to attack. Since we've
recently found two of the three web scripts in that directory to be
vulnerable, I find the trade-off to be very compelling.
I've created a ticket with a patch for this.
List info: http://lists.roundcube.net/dev/
More information about the Dev