COMMAND

    PostACI Webmail

SYSTEMS AFFECTED

    PostACI Webmail

PROBLEM

    Michael  R.  Rudel  found  following.   The PostACI webmail system
    contains  a  rather  trival  vulnerability.   One  can  obtain the
    hostname, username  and password  variables for  the MySQL  server
    (in addition to  other setup information)  if PostACI is  setup as
    described running out of the box by simplying going to the url:

        http://<host.running.postaci.com>/includes/global.inc

    So, if webmail.com was running PostACI:

        http://<host.running.postaci.com>/includes/global.inc

SOLUTION

    Well,  you  ask,  what  can  I  do  to  fix this?  There are a few
    different ways.   You could  just modify  the source  tree to make
    /includes  a  different  directory  that  only  you know.  Or, you
    could do it the right way  and use a .htaccess file to  only allow
    localhost to access anything in the includes directory or you  can
    do  the  rightest  thing  and  move  the include's outside the web
    server  document  tree,  and  modify  the source code accordingly.
    Moving it to a directory that only know, but still inside the  www
    document tree  is false  sense of  security, a  primer of security
    through obscurity.

    MySQL  database  passwords  are  something  that  need  to be more
    closely guarded, and this isn't the first application like this.

    In addition to properly  guarding your passwords, you  should only
    let certain hostnames  connect to MySQL,  and should have  several
    layers of  protection, such  as at  least one  firewall, and  then
    MySQL's built in host protection.