On Tue, February 1, 2005 11:59, Thomas Nagel said: > Package: squirrelmail > Version: 1.4.4-1 > Severity: serious > > Information leakage is enabled by default via the newly added > /usr/share/squirrelmail/src/configtest.php Script which should be > disabled (or as a minimum a Deny line should be added to the example > apache.conf file).
Thank you for your report. I do not agree with you that this has "serious" severity: indeed it would be better to "leak" as less information as possible but I don't see any concrete problems that arise from the small bits of information that can be gathered now (most of which are also readily available through other means on a Debian installed server). I will fix this though. I propose by default allowing access to this script only from localhost. Will check upstream for a permanent solution to this. Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
