On Thu, 2006-08-17 at 17:29 +0200, Lars Kneschke wrote: > A webbased application has stored the database connection string in > cleartext somewhere on the webserver. If you hack the webserver and get the > sql connection setting you have access to the whole (imap)database. That's > really bad.
well, AFAIK dbmail-imapd keeps SQL password in memory, and if you figure how to get it out using some overflow you can get the password. That's theoretically. I am not a h4zkor myself, but yet it seems to be achievable unless dbmail-imapd uses some clever memory allocations which disallow the prediction of where the variables are located in the memory. ---------------------------------------------------- Michael Tabolsky Independent IT Professional Public key: http://www.gfdsa.org/[EMAIL PROTECTED] Cassanese 200/M,Segrate (MI),20090,Italy mobile: +39 346 222 35 47 mtabolsky @ gmail...com skype: mtabolsky, JID: [EMAIL PROTECTED], icq: 919349
signature.asc
Description: This is a digitally signed message part
