Franklin DeMatto wrote:
> I would suggest that the "." character be removed from the list of
> acceptable characters, and possibly having hypermail append a standard
> extension. This would prevent an attacker from sending .shtml and the
> like, and would eliminate the possibility of a successful double
> dot exploit.
As an *option*, I have no problem with this. I don't agree that it should be the only possible hypermail configuration. Controlling what (if anything) is allowed for SSI and where it's allowed is pretty basic security practice for a webserver.
_____________ Hewlett-Packard Personal Storage Business Tom von Alten mailto:Tom_vonAlten_at_hp.com
This posting is for informational purposes only.
It is not a statement of the Hewlett-Packard Co.
Received on Wed 14 Nov 2001 08:43:25 PM GMT
This archive was generated by hypermail 2.2.0 : Thu 22 Feb 2007 07:33:53 PM GMT GMT