[hypermail] RE: Hypermail security < test <here> >

From: Tom von Alten (tom_vonalten@boi.hp.com)
Date: Wed Nov 14 2001 - 12:39:11 CST

• Next message: Peter C. McCluskey: "Re: [hypermail] Hypermail security < test <here> >"
• Previous message: Franklin DeMatto: "Re: [hypermail] Hypermail security < test <here> >"
• In reply to: Franklin DeMatto: "Re: [hypermail] Hypermail security < test <here> >"
• Next in thread: Peter C. McCluskey: "Re: [hypermail] Hypermail security < test <here> >"

Franklin DeMatto wrote:
> I would suggest that the "." character be removed from the list of
> acceptable characters, and possibly having hypermail append a standard
> extension. This would prevent an attacker from sending .shtml and the
> like, and would eliminate the possibility of a successful double
> dot exploit.

As an *option*, I have no problem with this. I don't agree that
it should be the only possible hypermail configuration. Controlling
what (if anything) is allowed for SSI and where it's allowed is
pretty basic security practice for a webserver.

_____________ Hewlett-Packard Personal Storage Business
Tom von Alten mailto:Tom_vonAlten@hp.com

          This posting is for informational purposes only.
          It is not a statement of the Hewlett-Packard Co.

• Next message: Peter C. McCluskey: "Re: [hypermail] Hypermail security < test <here> >"
• Previous message: Franklin DeMatto: "Re: [hypermail] Hypermail security < test <here> >"
• In reply to: Franklin DeMatto: "Re: [hypermail] Hypermail security < test <here> >"
• Next in thread: Peter C. McCluskey: "Re: [hypermail] Hypermail security < test <here> >"