Christophe Chisogne wrote:
raditha dissanayake a écrit :
IMAP being a general file access protocol, there are inherent security problems to be aware of. On some srv, you could easily get /etc/passwd by simply knowing a single user/password.
Please explain how.
[sorry to be off-topic on a php list but I'll answer anyway]
Example: badly configured server, angry user john using mozilla and knowing a single login/password on the server (that login doesnt even have a valid shell, ex /bin/false) In mozilla, john creates an IMAP account, choosing '/etc' as directory folder, then 'subscribe' to it. That way, he got many "folders" locally, by example 'passwd'. In that folder, a single mail titled '/etc/passwd'...
On the contrary you cannot create a new folder when a folder by that name already exists and in most installations of IMAP you can only create subfolders inside a designated folder. If the sysadmin is so dumb as to change that he should never go anywhere near a server.
you can use SSL with IMAP too.
We can use SSL with many things. But the client side can't always use it ([very] old mail clients by example). In a controlled environment (where one can force users to use mail client xyz), it's not a problem anyway.
Ancient clients don't support SSL over POP either.
Christophe
-- Raditha Dissanayake. --------------------------------------------- http://www.raditha.com/megaupload/upload.php Sneak past the PHP file upload limits.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
