[RCD] IMAP ID Bug found in Roundcube 1.0.1 in rcube_imap.php
h.reindl at thelounge.net
Fri Nov 7 13:22:17 CET 2014
Am 07.11.2014 um 13:08 schrieb Cor Bosman:
> Am 07.11.2014 um 12:51 schrieb Cor Bosman:
>>>> On 07 Nov 2014, at 12:44, Reindl Harald <h.reindl at thelounge.net> wrote:
>>> Dovecot doesnt. All dovecot does with that information is log the x-forwarded-ip
>> and than on the server runs "fail2ban" enforcing blocking based on that log - congratulations
> That still doesnt compromise your security, but I see your point.
> A DOS possibility, even a remote possibiity, is annoying.
if you ever have a security audit on your infrastructure you will see
that you get a red flag for *any* known DOS possibility and if the audit
was given in order by a customer that means you have 24 hours to fix
that issue or shutdown the server - been there or better said we are
there every week (currently only for webservers but that may change from
one day to the next)
the point is not only the DOS - but that's one example where i needed
only to think 5 seconds after "it's just used for logging" - there are
people out there with a lot of time thinking how they can abuse IT systems
are you 100% sure that it don't use that information or will not do so
in later releases?
the idea behind "mod_remoteip" is that you can *trust*
$_SERVER['REMITE_ADDR'] to contain the clients IP behind a proxy and
hence Allow from / Deny from in Apache is using also that information
hence it is trustable in a correct setup
> I'll revert my plugin back to $_SERVER, and i'll leave it up to rc devs
> what to do with the rcube_utils function
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: OpenPGP digital signature
More information about the dev