Re: [Assp-user] Unallowed file
Questions and Answers for users of ASSP Anti-Spam SMTP Proxy assp-user@lists.sourceforge.net schreibt: 1.2.5(6) stops the functioning of the notes files. Thanks, try (7) - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Unallowed file
On 18 Aug 2006 at 10:51, Fritz Borgstedt wrote: Questions and Answers for users of ASSP Anti-Spam SMTP Proxy assp-user@lists.sourceforge.net schreibt: 1.2.5(6) stops the functioning of the notes files. Thanks, try (7) Great. Works fine. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Unallowed file
Javier Albinarrate wrote: What do you think? $.02: I think this is increasingly becoming the wrong approach. The interface allows for files to be placed in any [sub]directory of the admins choosing. For instance, take a look at my [preferred] directory structure off the ASSP base: -- bak bin blackholes clamav corpus databases images lists maillog notes pb rc reports -- My RE list-files are in the lists directory. My maillog is in the maillog directory, etc ,etc. This current line of thought for how to secure the issue could cause problems for anyone that is using subdirectories in the file: specifications. i.e.: file:lists/noProcessing.txt +$.02: I think we should enforce specific file types, the directory structure must be within the $base, and no reverse traversals (i.e. /../) allowed. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Unallowed file
On 18 Aug 2006 at 12:41, Javier Albinarrate wrote:
This opens the possibility of making things like
images/../../../../blah.txt
Yes
If other directories should be allowed, then these should be
speciffically allowed I think.
Like:
elsif ($fil !~ /^(images\/|notes\/)?[\w-\.]+\.txt$/i){
Do we need to be that restrictive?
Also, I've just discovered that we need .db files in there. Currently you
can't look at your
pb/.db files through the interface.
Remind me what we're trying to do here?
Paul
-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Unallowed file
[EMAIL PROTECTED] wrote: Do we need to be that restrictive? No, and we shouldn't be due to the customizable configuration of ASSP. Also, I've just discovered that we need .db files in there. Currently you can't look at your pb/.db files through the interface. Good point. I missed that as well. Remind me what we're trying to do here? Too much apparently. :-) Although, if possible, I think it would be safer to restrict access to specific file types. We just need an accurate list. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Unallowed file
Although, if possible, I think it would be safer to restrict access to specific file types. We just need an accurate list. Please stop this shit. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Unallowed file
Fritz Borgstedt wrote: Please stop this shit. Stop what shit Fritz? *You cant current open the PB DB's via the web interface*. We are discussion a resolution. Or are we no longer allowed to do that? - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Unallowed file
Frankly I think it would be fine to just limit ASSP to it's own directory and sub-folders. That will be restored. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Unallowed file
Questions and Answers for users of ASSP Anti-Spam SMTP Proxy assp-user@lists.sourceforge.net schreibt: Stop what shit Fritz? *You cant current open the PB DB's via the web interface*. We are discussion a resolution. Or are we no longer allowed to do that? You are not discussing a resolution, you are making proposals for restrictions. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Unallowed file
Fritz Borgstedt wrote: You are not discussing a resolution, you are making proposals for restrictions. I didn't realize that expressing my opinion about an issue was making a proposal. Thanks for clarifying that for me. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Unallowed file
That will be restored. I think most of it is now corrected in (10). - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Unallowed file
Questions and Answers for users of ASSP Anti-Spam SMTP Proxy assp-user@lists.sourceforge.net schreibt: I think most of it is now corrected in (10). It is now corrected in (11). - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Unallowed file
It is now corrected in (11). The following rules apply now: - '..' unallowed everywhere - Edit of files in ASSP directory OR upper directories allowed only for '.txt' and '.db' files. This to block accessing to other info at the assp directory, like assp.pl or even the config etc - Get of ANY file at any upper directory like images or pb, but NOT at the assp directory - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Unallowed file
Fritz Borgstedt wrote: The following rules apply now: - '..' unallowed everywhere - Edit of files in ASSP directory OR upper directories allowed only for '.txt' and '.db' files. This to block accessing to other info at the assp directory, like assp.pl or even the config etc - Get of ANY file at any upper directory like images or pb, but NOT at the assp directory This sounds very good. I can't wait to test it. Thank you Fritz - for fixing this and putting up with me. ))) - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Unallowed file
On 8/18/06, Fritz Borgstedt [EMAIL PROTECTED] wrote: It is now corrected in (11). The following rules apply now: - '..' unallowed everywhere - Edit of files in ASSP directory OR upper directories allowed only for '.txt' and '.db' files. This to block accessing to other info at the assp directory, like assp.pl or even the config etc - Get of ANY file at any upper directory like images or pb, but NOT at the assp directory v1.2.5(11) http://127.0.0.1:5/get?file=assp.pl I still see the assp.pl file and any other file in the base directory. Kevin - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
