On Fri, 2006-08-18 at 00:06 +1000, [EMAIL PROTECTED] wrote: > On Thu, August 17, 2006 21:53, Lars Kneschke wrote: > > Michael Tabolsky <[EMAIL PROTECTED]> schrieb: > > > >> Do you mean the problem that php has access to the whole email server > >> database regardless the mailbox authentication? Seems to be treat, but we > >> can figure out how to put it in limits... > > > > Yes. That's my main concern. > > > > It's not all that different to imapd having access to the whole db.
Yes and no. If you don't allow direct remote access to IMAP, then you're talking about two layers of separation between the database and a remote user. And even if you do allow direct access, web apps are generally considered to be more vulnerable than proper daemons. There's a few recent articles about XSS (cross-site-scripting) and how many web app backends are too trusting of data coming from the client side frontend. That's not to say that DBMail isn't directly crackable, just that it's more likely that a web app would be attacked and broken in to. > Unless you have seperate DB's per user you can't have that layer. > At some point you have to trust something ;-> Read Geo Carncross' wiki pages about separate databases with SQLite. Aaron
