[RCD] IMAP ID Bug found in Roundcube 1.0.1 in rcube_imap.php
h.reindl at thelounge.net
Fri Nov 7 13:38:30 CET 2014
Am 07.11.2014 um 13:30 schrieb Cor Bosman:
>> are you 100% sure that it don't use that information or will not do so in later releases?
> That's not the dovecot option that applies here
i know that!
but can you assure that the forwarded IP will not be used in a future
release (maybe optional) in that context too or in some 3rd party module?
the point is simple: don't forward possible untrusted input if you have
a trustable source too because you can't know the implications on other
parts of the mail stack
security is a complex topic
did you know that $_SERVER['PHP_SELF'] is vulnerable for XSS until you
set "AcceptPathInfo Off" in your Apache config which maybe breaks other
applications? i did not until a security audit showed a red flag!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: OpenPGP digital signature
More information about the dev