I've architected plenty of secure web apps. These risks are only there when a
web app depends on custom code for front-line security. That is often the
only way to do things if you have a public user base. This is NOT the case for
an email administration application. With an application like this, I KNOW
that I want only users X, Y, and Z and/or users from IP addresses A, B, C to
have access to ANYTHING in the web app. In this case, I don't give a damned
what is in the application or what developer made it, the app server or web
server can easily (as in under 1 minute) be configured to not permit any access
to that application at all except to users X,Y,Z &/or IP A,B,C. This applies
to any web app anywhere.
The application inside may use custom security to differentiate different
permissions for different user types (aka "roles"), and bad design or
implementation could result in a user gaining more access than he should--
but this is only possible for users X,Y,Z/A,B,C. If this is a concern to
you, then you can entirely eliminate this risk by not using different roles
at all-- only permit access to the app to users who should have complete
Exim Admin privileges. In the latter case, you will still have a great
Gui and great security.
See my next post about my Security Challenge.
Richard Welty wrote:
> On Thu, 29 Jan 2004 15:50:00 +0100 Simon Lange <sl@???> wrote:
>
>>>one which is well known (_not_ one that i found) is the
>>>session id problem with the verizon wireless web site.
>>
>>the technology is still save but the responsible admin there has an issue...
>
>
> er, no. the design of the app was flawed.
>
> there are certain common design errors that are made in web apps by
> developers who are not security minded. they are repeated time and time
> again. sometimes they aren't too hard to fix. sometimes they can be
> incredibly expensive to fix. they can be made in any environment
> -- VB/ASP, PHP, Perl, etc., etc., and i've seen them in all sorts of places.
>
> richard
> --
> Richard Welty rwelty@???
> Averill Park Networking 518-573-7592
> Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
>
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
--
ICF: 703-934-3692 Cell: 703-944-9317