Re: [courier-users] Security Issue: Webamin posts login via GET, password included in HTTP logs - Sam Varshavchik - net.sourceforge.lists.courier-users

2 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Security Issue: W...

From	Sent On	Attachments
Jeff Rosenberg	May 24, 2002 11:42 am
Sam Varshavchik	May 24, 2002 6:38 pm

Subject:	Re: [courier-users] Security Issue: Webamin posts login via GET, password included in HTTP logs
From:	Sam Varshavchik (mrs...@courier-mta.com)
Date:	May 24, 2002 6:38:42 pm
List:	net.sourceforge.lists.courier-users

On Fri, May 24, 2002 at 11:42:41AM -0700, Jeff Rosenberg wrote:

should really be a POST, not a GET

As a GET, this ensures that your webadmin password gets included in the default
HTTP logs of your webserver, via query string, every time you log in.

Webadmin isn't going to be used by the general populace. Webadmin is sysadmin's tools. If the sysadmin's workstation is compromised, there's going to be bigger problems to worry about.

But, there's no problem with making it a POST...

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets