From: Daniel Stenberg (daniel@haxx.se)
Date: Fri Mar 15 2002 - 10:10:58 CST
On Fri, 15 Mar 2002, Nikolajus Krauklis wrote:
> With hypermail i making nice looking and usefull mailing list archive, but
> in this archyve where are some vulnarabilities. For example in that server
> there are PHP, so someone can send to mailing list *.php file and after
> making archive all user can get this *.php file throught web mailing list
> archive. My mailing list archive reindexing every night, so every night i'm
> in dangerous situation. This .php on my server people can in simple drop
> database and so on...
>
> how to solve it. Before sending attachment to user browser, send special
> header. So .php file will be not exacutable, but saveble :)
If you run Apache, you can edit out this possibility by editing your config
file or your .htaccess file with this:
AddType text/plain .php
In fact, you should disable all weird types (those that let you run things on
the server based on file extensions) in the directory you store attachments
in, so that no one can invoke anything.
--
Daniel Stenberg - http://daniel.haxx.se - +46-705-44 31 77
ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol