[RCD] /bin utilities

James E. Blair jeblair at berkeley.edu
Tue Dec 23 21:20:53 CET 2008


Kris Steinhoff wrote:
> The scripts in the bin directory may be slightly more vulnerable to denial of 
> service attacks. But I'm more worried about the potential for bugs in those 
> scripts (or stuff they call) that could be a vector for more serious attacks.
> 
> Usage of those scripts should be limited to users know to RoundCube.
> 
> If the added weight of creating the $RCMAIL instance is a concern, then perhaps 
> we could use a different (lighter) approach to verifying that the user running 
> the script is a valid RoundCube user.
> 
> -kris

I strongly agree with Kris that it is preferable to spend a few more CPU 
cycles if it reduces the exposure of our systems to attack.  Since we've 
recently found two of the three web scripts in that directory to be 
vulnerable, I find the trade-off to be very compelling.

I've created a ticket with a patch for this.

http://trac.roundcube.net/ticket/1485645

-Jim

_______________________________________________
List info: http://lists.roundcube.net/dev/



More information about the Dev mailing list