6 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Re: [SECUNIA] Vul...
FromSent OnAttachments
Sam VarshavchikAug 24, 2005 4:02 am 
David GomillionAug 24, 2005 7:03 am 
Georg LutzAug 24, 2005 7:33 am 
Sam VarshavchikAug 24, 2005 4:26 pm 
Gordon MessmerAug 24, 2005 4:52 pm 
sujit jagdevAug 27, 2005 7:49 pm 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:Re: [courier-users] Re: [SECUNIA] Vulnerability in SqWebMailActions...
From:Georg Lutz (gli@gmx.net)
Date:Aug 24, 2005 7:33:50 am
List:net.sourceforge.lists.courier-users

On 2005-08-24, David Gomillion wrote:

cour@lists.sourceforge.net wrote:

I agree 100% with you, Sam. The only problem is that I have some less-savvy users.

Can we implement a feature that allows us to set a variable that determines if the Display link even appears? From the original email, it looks like they are asserting that using the Display link will allow arbitrary code to run on the server, which is never a good thing.

How should it be possible to run arbitrary code on the server ???

It'd be really nice to be able to set it per mime type, but just hiding the Display link for all attachment types would be good enough for my installation.

I also agree. It would be a reasonable feature to deactivate the display function.

It should also be possible to "logout" before viewing the attachment in order to prevent cross site scripting like when clicking on links inside mails. But this involes a lot more work and does not eleminate all kinds of issues (i.e. with stupid users and unsecure browsers).

-- Georg