On Fri, 15 Mar 2002, Nikolajus Krauklis wrote:
> With hypermail i making nice looking and usefull mailing list archive, but
> in this archyve where are some vulnarabilities. For example in that server
> there are PHP, so someone can send to mailing list *.php file and after
> making archive all user can get this *.php file throught web mailing list
> archive. My mailing list archive reindexing every night, so every night i'm
> in dangerous situation. This .php on my server people can in simple drop
> database and so on...
>
> how to solve it. Before sending attachment to user browser, send special
> header. So .php file will be not exacutable, but saveble :)
If you run Apache, you can edit out this possibility by editing your config file or your .htaccess file with this:
AddType text/plain .php
In fact, you should disable all weird types (those that let you run things on the server based on file extensions) in the directory you store attachments in, so that no one can invoke anything.
-- Daniel Stenberg - http://daniel.haxx.se - +46-705-44 31 77 ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`olReceived on Fri 15 Mar 2002 06:16:41 PM GMT
This archive was generated by hypermail 2.2.0 : Thu 22 Feb 2007 07:33:54 PM GMT GMT