OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: PostACI Webmail Vulnerability
From: Michael R. Rudel (mrrBRIG.PCS.K12.MI.US)
Date: Thu Nov 30 2000 - 20:25:42 CST


The PostACI webmail system contains a rather trival vulnerability. One can
obtain the hostname, username and password variables for the MySQL server
(in addition to other setup information) if PostACI is setup as described
running out of the box by simplying going to the url:

http://>/includes/global.inc

So, if webmail.com was running PostACI:

http://>/includes/global.inc

Well, you ask, what can I do to fix this?

There are a few different ways. You could just modify the source tree to
make /includes a different directory that only you know. Or, you could do
it the right way and use a .htaccess file to only allow localhost to
access anything in the includes directory.

MySQL database passwords are something that need to be more closely
guarded, and this isn't the first application like this I've seen that
does something like this.

In addition to properly guarding your passwords, you should only let
certain hostnames connect to MySQL, and should have several layers of
protection, such as at least one firewall, and then MySQL's built in host
protection.

-- Michael R. Rudel
-- Technician / Security Advisor
-- Pinckney Community Schools =-=
http://www.pcs.k12.mi.us