We use cookies to ensure you get the best experience on our website
Home Explore Help
Register Sign In
0ct0pu5
/
squirrelmail
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

- Add doc/security.txt with some hints for a more secure installation.
Feel free to improve/expand on this.
- Add some info to INSTALL about register_globals

Thijs Kinkhorst 19 years ago
parent
6e895ec255
commit
2537444711
3 changed files with 42 additions and 0 deletions
Unified View Show Diff Stats
  1. 1 0
      ChangeLog
  2. 4 0
      INSTALL
  3. 37 0
      doc/security.txt

+ 1 - 0
ChangeLog
View File 

@@ -494,6 +494,7 @@ Version 1.5.1 -- CVS
 
   - Fixed ContentType object check in Rfc822Header class. E_NOTICE error
 
   - Fixed ContentType object check in Rfc822Header class. E_NOTICE error
 
     in PHP 5.1.
 
     in PHP 5.1.
 
   - Key value being overwritten by reuse of var in filters plugin.
 
   - Key value being overwritten by reuse of var in filters plugin.
 
+  - Add doc/security.txt with some hints for a more secure installation.
 
 
 
 Version 1.5.0 - 2 February 2004
 
 Version 1.5.0 - 2 February 2004
 
 -------------------------------
 
 -------------------------------

+ 4 - 0
INSTALL
View File 

@@ -69,6 +69,10 @@ Each of these steps is covered in detail below.
 
     Required for Japanese translation. Optional for translations that
 
     Required for Japanese translation. Optional for translations that
 
     use non-ISO-8859-1 charset
 
     use non-ISO-8859-1 charset
 
 
 
+  It is highly advised to NOT turn on register_globals, as this can lead
 
+  to security holes. If you must use register_globals for some applications,
 
+  turn it on locally for only those directories, or turn it off for the
 
+  SquirrelMail folder.
 
   If you want your users to attach files to their mails, make sure
 
   If you want your users to attach files to their mails, make sure
 
   File Uploads in php.ini is set to On.
 
   File Uploads in php.ini is set to On.

+ 37 - 0
doc/security.txt
View File 

@@ -0,0 +1,37 @@
 
+Securing Your SquirrelMail Setup
 
+--------------------------------
 
+
 
+We try to make SquirrelMail as secure as possible, but the security of
 
+an install depends on a lot of factors. This file lists some tips to
 
+further improve the security of your webmail system.
 
+
 
+- PHP configuration. It's very important to turn register_globals OFF.
 
+  The majority of security issues discovered in SquirrelMail in the past
 
+  could only be exploited when register_globals was set to on. If you
 
+  need register_globals for other web applications, turn it on specifically
 
+  for those apps.
 
+
 
+- HTTPS/SSL Logins. SquirrelMail runs fine over an https / SSL connection,
 
+  and it's not that hard to set one up.
 
+
 
+- Data dir / attachment dir. Make sure that you've set these up with the
 
+  right permissions (only for the webserver user) and that they're outside
 
+  of your webserver's document root. See INSTALL for details.
 
+
 
+- IMAPS / TLS. If your IMAP server is not on the same host as SquirrelMail,
 
+  you can configure SquirrelMail to use an encrypted connection to your
 
+  IMAP server. Note that this makes no sense if both are on the same machine.
 
+  See doc/authentication.txt for info.
 
+
 
+- Subscribe to the squirrelmail-announce mailinglist to be informed about new
 
+  releases which may fix security bugs. If you run SquirrelMail packaged by
 
+  your distribution, make sure to apply their security upgrades.
 
+
 
+
 
+These are only some tips to get you started. A truly secure system needs
 
+careful tweaking of all components, including PHP, Apache, mailserver,
 
+the underlying OS, which users can login, etc. Searching the web will turn
 
+up lots of information.
 
+
 
+
 
+$Id$

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5