|
|
|
|||||||
| For more information about the ads and why they're here, please see the FAQ |
 |
|
|
LinkBack | Thread Tools | Display Modes |
|
#1
07-22-2006, 01:10 AM
|
|||
|
|||
Is this safe?
I have more than one site on different servers, and I want to do 1 installation instead of having multiple ones.
So in main.inc.php, I changed: Code:
// the mail host chosen to perform the log-in // leave blank to show a textbox at login, give a list of hosts // to display a pulldown menu or set one host as string. // To use SSL connection, enter ssl://hostname:993 $rcmail_config['default_host'] = 'mail.mydomain.com'; Code:
// the mail host chosen to perform the log-in
// leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// To use SSL connection, enter ssl://hostname:993
if((isset($_SESSION['username'])&&$_SESSION['username']!="")||(isset($_POST['_user'])&&$_POST['_user']!="")){
$email_parts = $_SESSION['username'] ? explode("@",$_SESSION['username']) : explode("@",$_POST['_user']);
$rcmail_config['default_host'] = 'mail.'.$email_parts[1];
}else{
$rcmail_config['default_host'] = 'mail.mydomain.com';
}
    
|
|
#2
07-22-2006, 04:44 AM
|
||||
|
||||
|
Re: Is this safe?
Not really.... although nothing is really not dangerous.
A hacker could find a way to use this against you, but the odds of someone exploiting it are slim. Plus, it would most likely just give you a parse error if something was awry. So one thing they could get is possibly the path to your server. Unless error reporting (in PHP) is turned down, an error will show up. So really, the question should be: If my server is secure, will this code pose any threat? And the answer to that question is most likely not. If your server is properly secured, there's not a whole not a hacker can do.
__________________
   
|
|
#3
08-05-2006, 03:42 AM
|
|||
|
|||
|
Re: Is this safe?
Since you know the server possibilities, you should compare $email_parts[1] to the known list of servers. That would avoid any potential issues. Just set up an array of valid domains, then see if $email_parts[1] is in the array (a simple in_array() one liner). If not, then you could just issue a header() to return to the login or do what ever you want. That would also be more user friendly in the event of typos (the way you have it you will get a connection failure).
EDIT >> or just use the config file  $rcmail_config['username_domain'] = array( . . .
|
|
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
|
|
| For more information about the ads and why they're here, please see the FAQ |
Linear Mode
