Search The ForumSearch   RegisterRegister  LoginLogin

AfterLogic WebMail Pro
 AfterLogic Forum : AfterLogic WebMail Pro
Subject Topic: Security Concerns Post ReplyPost New Topic
Author
Message << Prev Topic | Next Topic >>
jyanes
Newbie
Newbie
Avatar

Joined: 13 June 2010
Location: United States
Online Status: Offline
Posts: 1
Posted: 13 June 2010 at 5:10pm | IP Logged Quote jyanes
Hello i am trying out Afterlogic Community Edition. I noticed that if go to the browser and type in
http://locationofserver/webmail/data/settings/adminpanel.xml

I can see the details of the file in my browser. This of course is not desired as this file contains my admin
password and username in clear text.

Did i set something up incorrectly here? I tried remove permissions etc. but when i do that i end up with
an error on the Admin Panel page saying that it could not access the adminpanel.xml file.

any help would be appreciated.
Back to Top View jyanes's Profile Search for other posts by jyanes
 
Igor
AfterLogic Support
AfterLogic Support


Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6104
Posted: 15 June 2010 at 2:16am | IP Logged Quote Igor
I believe you're absolutely right, those .XML configuration files should not be available via web browser. That's exactly why we include special Apache configuration file .htaccess in the data folder, with really simple content:

Code:
Deny from all


This doesn't affect loading files via filesystem, but any attempts to access the file via web browser will result in error. Not sure why it doesn't work this way in your particular case, this probably has something to do with web server configuration; AllowOverride option state should be probably rechecked. That is, of course, if you're using Apache to run the product.

--
Regards,
Igor, AfterLogic Support
Back to Top View Igor's Profile Search for other posts by Igor
 
nickux
Newbie
Newbie


Joined: 08 July 2010
Online Status: Offline
Posts: 16
Posted: 08 July 2010 at 4:57am | IP Logged Quote nickux
Perhaps there should be a notification at the end of installation in order for admin to check if those XML files are retrievable over web.

Just in case his Apache installation is not set to use .htaccess or if the does not even use Apache.

I found out the same by examining the project. Perhaps it might be better to mention this during installation in red somehow, or allow administrator to have the data folder outside of the web path.
Back to Top View nickux's Profile Search for other posts by nickux
 
Igor
AfterLogic Support
AfterLogic Support


Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6104
Posted: 08 July 2010 at 5:12am | IP Logged Quote Igor
Good point, indeed. I will forward this to the product manager. Thank you!

--
Regards,
Igor, AfterLogic Support
Back to Top View Igor's Profile Search for other posts by Igor
 

If you wish to post a reply to this topic you must first login
If you are not already registered you must first register

  Post ReplyPost New Topic
Printable version Printable version

Forum Jump

Powered by Web Wiz Forums version 7.9
Copyright ©2001-2004 Web Wiz Guide