Thus said "Sam Varshavchik" on Sat, 27 Oct 2001 17:19:59 EDT: > When the userdb password module is used, a password change involves > running the userdb command to update the userdb password file.
So the check is mainly in there for the userdb module? > This is an area where I always have a healthy sense of paranoia. Paranoia is good. :-) I just didn't expect it to happen since previous versions of sqwebmail didn't have this check. At least on of our users had a password with a ';' in it which resulted in a call to me. I can always modify the code myself since in my case an attack at this point can only be mounted by someone that has already athenticated to the apache webserver via AuthUserFile. Do I trust my users? Good question. There is no direct path to the sqwebmail binary except by being authenticated, which also means they have to enter their username and password twice (unless they use that blessed new IE feature that remembers your passwords for you). Andy -- GnuPG ID 0xA63888C9 (D2DA 68C9 BB2B 26B4 8204 2219 A43E F450 A638 88C9) [-----------[system uptime]--------------------------------------------] 3:43pm up 34 days, 22:38, 7 users, load average: 1.13, 1.27, 1.52
