On Tuesday, 11.07.2006 at 09:49 -0300, Andre Carezia wrote: > Dave Ewart escreveu: > > >> Maybe you should think about using better software (squirrelmail and > >> bind are not secure enough for public servers, anyway :-)) > > > > Can you provide some evidence to back up that remark? > > Sure. > > Squirrelmail is written in PHP, a fast-development language not designed > with security in mind: > http://www.sklar.com/page/article/owasp-top-ten OK, that's a reason to avoid PHP, *not* specificially a reason to avoid Squirrelmail. Just because PHP may lead to insecure apps does not mean that any particular PHP application is badly written, from a security point of view. > Squirrelmail vulnerabilities: > http://secunia.com/product/288/ Well, I've just read that link. Given that pretty-much *all* network-related software will have the occasional security-related bug, I see that aren't many listed for Squirrelmail and they're all patched. > BIND flaws: > http://www.lurhq.com/dnscache.pdf > http://www.isotf.org/news/DNS-Amplification-Attacks.pdf > http://cr.yp.to/djbdns/blurb/security.html > http://cr.yp.to/djbdns/guarantee.html Hmmm, yeah, I've always been wary of BIND :-) Dave. -- Please don't CC me on list messages! ... Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92
Attachment:
signature.asc
Description: Digital signature