Update of /cvsroot/squirrelmail/squirrelmail/doc
In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv9202
Modified Files:
security.txt
Log Message:
include note about password security in security doc
Index: security.txt
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/doc/security.txt,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -w -r1.3 -r1.4
--- security.txt 14 Apr 2006 11:07:55 -0000 1.3
+++ security.txt 8 Jun 2006 15:53:54 -0000 1.4
@@ -23,6 +23,12 @@
IMAP server. Note that this makes no sense if both are on the same machine.
See doc/authentication.txt for info.
+- config.php. Some options in conf.pl / config.php allow for passwords to
+ be set in that file, e.g. the addressbook/preferences DSN, and LDAP
+ addressbooks. When setting a sensitive password, check that config.php
+ is not readable for untrusted system users, and consider the possibility
+ of it being read by other users of the same webserver.
+
- Subscribe to the squirrelmail-announce mailinglist to be informed about new
releases which may fix security bugs. If you run SquirrelMail packaged by
your distribution, make sure to apply their security upgrades.
|
