well, no argument about possible security holes. but there are many other ways to exploit ur clients on windows, so i don't consider it a big of a deal. if u want them to be secure, tell them to stop using windows. there isn't a windows on the planet that can't be hacked in. besides, hooking into the explorer bar is not so dangerous as it might seem. think of it as running an application on windows, because the windows shell is like a giant browser. the program itself is a small dll u make urself in c++ and as for the dhtml, its only an option i suggested u can do it in whatever way u like. it will not be more or less dangerous than any vbscript or a programm u run in windows. I already written some hookups, it is a very ellegant way to do things in windows world. besides, if u do things as i suggested u can even make the whole deal more secure by using ssl under the http, another option is that u can create an authorization server virtually for free just for ur clients and give anyone of them a personal certificate, i did it in the past and it works great. (don't mind the authorization server to be versign if every user got a certificate u issued him then it is fairly safe, or at least more safe then not using it).
* - * - * Tzahi Fadida [EMAIL PROTECTED] Fax (+1 Outside the US) 240-597-3213 * - * - * - * - * - * > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Tzafrir Cohen > Sent: Tuesday, February 19, 2002 1:45 AM > To: Tzahi Fadida > Cc: 'linux-il' > Subject: RE: sendmail relay problem > > > On Tue, 19 Feb 2002, Tzahi Fadida wrote: > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Tzafrir Cohen > > > Sent: Monday, February 18, 2002 11:51 PM > > > To: Tzahi Fadida > > > Cc: Rabbit of Vugluskr; 'linux-il' > > > Subject: RE: sendmail relay problem > > > > > > > > > On Mon, 18 Feb 2002, Tzahi Fadida wrote: > > > > > > > HI, > > > > how many ISPs are we talking about? since u can probably > make a simple > > > > script vbs/perl/whatever that uses http to send current > nslookup and get > > > > xml/text data from your company web site which includes all > known ISPS > > > > smtp addresses. this way, any addition of ISP can be > realized quickly > > > > and be added to ur database by analyzing unknown http get call to ur > > > > xml/text page. > > > > or if u still can't manage, just build a simple php page > with execute > > > > code to change the smtp address automagicaly in the > > > > registry(windows)/mail settings > > > > what do u think? > > > > > > Let me see if I understand this correctly: > > > > > > a vb script on the client ('client-scirpt') accesses a well > known address > > > on the mail/web server ('server-script'). server-script is basically a > > > table that gives the address that should be used in the address of the > > > client. It is trivial to write such a scirpt. I don't think that it > > > exposes any sensetive information (except, maybe, the fact > that your sales > > > persons are allowed to connect from certain points). > > > > > > The client script runs with the permissns of the current > user, and changed > > > the smtp server of the current user. What I said would have > been nice, had > > > there been such one default smtp server. But I believe that > Outlook has > > > a different smtp server for each account, and no default smtp server > > > (unlike, e.g. mozilla). > > > > > > This will still require the sales person to run a program > (=click an icon) > > > after connecting), but I'm sure that there is a way of hooking the > > > execution of such a script into existing connection. > > > > > > > well, yeah basically. > > > > There is certainly a problem with an outlook style accounts program, > > but i am certain, that u can add to the script a loop to "if then" every > > set of account to check it got the designated pop.mycompany.com pop3 > > definition in the account and then change only that account. > > > > you can even set up a php page, that will allow u to choose ur mail > > client from a combo box and thus run a different script for each set of > > {OS,mail client} easy to do with a decent app server/script server like > > php or ColdFusion or asp/whatever. > > > > Actually I believe that this is quite simple to do even with a simple CGI > script. > > But this is not what I meant. I meant that client-script will get > only the data (address of the smtp server) from server-script . This keeps > server-script simple and client-script does not have to execute code from > a remote location. > > This also keeps things simpler: You never use the wrong script for a > client, because client-script is installed locally. > > Ideally the client would be installed as a hook to the mail program: when > you start outlook it checks if it is connected, and if it is, it sets the > smtp server) > > > another option for ur windows users is to use the .cab extention to do > > a quick install from the web for ur application as a hookup on the > > internet explorer bar, and then when they change isp they can open their > > explorer and choose their new isp from the bar which can be dhtmled to > > do an http get xml/text from ur web site. U won't believe how common is > > this method. > > And some day someone will manage to forge the address of your server and > get the sales person to install their-favorite-backdoor from their server. > Why execute code from a remote server? > > -- > Tzafrir Cohen > mailto:[EMAIL PROTECTED] > http://www.technion.ac.il/~tzafrir > > > > ================================================================= > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] ================================================================To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
