Roundcube Community Forum

 

Is this safe?

Started by Twirp, July 21, 2006, 08:10:03 PM

Previous topic - Next topic

Twirp

I have more than one site on different servers, and I want to do 1 installation instead of having multiple ones.
So in main.inc.php, I changed:
// the mail host chosen to perform the log-in
// leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// To use SSL connection, enter ssl://hostname:993
$rcmail_config['default_host'] = 'mail.mydomain.com';

to:
// the mail host chosen to perform the log-in
// leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// To use SSL connection, enter ssl://hostname:993
if((isset($_SESSION['username'])&&$_SESSION['username']!="")||(isset($_POST['_user'])&&$_POST['_user']!="")){
$email_parts = $_SESSION['username'] ? explode("@",$_SESSION['username']) : explode("@",$_POST['_user']);
$rcmail_config['default_host'] = 'mail.'.$email_parts[1];

}else{
$rcmail_config['default_host'] = 'mail.mydomain.com';
}

Is this dangerous?

bpat1434

Not really.... although nothing is really not dangerous.

A hacker could find a way to use this against you, but the odds of someone exploiting it are slim. Plus, it would most likely just give you a parse error if something was awry. So one thing they could get is possibly the path to your server. Unless error reporting (in PHP) is turned down, an error will show up.

So really, the question should be: If my server is secure, will this code pose any threat?
And the answer to that question is most likely not. If your server is properly secured, there's not a whole not a hacker can do.
 
 

flash

Since you know the server possibilities, you should compare $email_parts[1] to the known list of servers. That would avoid any potential issues. Just set up an array of valid domains, then see if $email_parts[1] is in the array (a simple in_array() one liner). If not, then you could just issue a header() to return to the login or do what ever you want. That would also be more user friendly in the event of typos (the way you have it you will get a connection failure).

EDIT >> or just use the config file ;D
$rcmail_config['username_domain'] = array( . . .