[hypermail] RE: Hypermail security < test <here> >

From: Tom von Alten <tom_vonalten_at_boi.hp.com_at_hypermail-project.org>
Date: Wed, 14 Nov 2001 11:39:11 -0700
Message-ID: <000401c16d3b$a6e973e0$455b270f_at_alien-nt.boi.hp.com>

Franklin DeMatto wrote:
> I would suggest that the "." character be removed from the list of
> acceptable characters, and possibly having hypermail append a standard
> extension. This would prevent an attacker from sending .shtml and the
> like, and would eliminate the possibility of a successful double
> dot exploit.

As an *option*, I have no problem with this. I don't agree that it should be the only possible hypermail configuration. Controlling what (if anything) is allowed for SSI and where it's allowed is pretty basic security practice for a webserver.

_____________ Hewlett-Packard Personal Storage Business Tom von Alten mailto:Tom_vonAlten_at_hp.com

          This posting is for informational purposes only.
          It is not a statement of the Hewlett-Packard Co.
Received on Wed 14 Nov 2001 08:43:25 PM GMT

This archive was generated by hypermail 2.2.0 : Thu 22 Feb 2007 07:33:53 PM GMT GMT