My tmda-cgi "works great" setup using cgiwrap and tmda-cgi/0.12B "Magnesium" (Python/2.3.2 on FreeBSD-4.8 TMDA/1.0 "Cannonade" (Python/2.3.2 on FreeBSD-4.8 CGI_MODE: no-su
_BUT_ using the CGI_URL verification feature opens up a security hole/issue? After verifying a message you can simply change the first few digits of the querystring (apparently the UID) and discover other usernames on the machine tmda-cgi is running on, because of the verbose error messages returned, for ex: "Cryptography key file /usr/home/someOtherUser/.tmda/crypt_key, permissions ???" How do I make tmda-cgi "not give verbose error messages to people/requests that have not yet been verified/authorized with a name/password"? (is there a not-listed-in-the-docs global_debug_level option I can set =to zero?) I know this isn't a horrible offensive ohmygod problem, but it does seem less-secure-than-it-possibly-should-be. ( username-on-machine == mailbox-on-machine :) _____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
