[Exim] Eximon vs. Exim Webapp security challenge

Top Page
Delete this message
Reply to this message
Author: Blaine Simpson
Date:  
To: exim-users
Subject: [Exim] Eximon vs. Exim Webapp security challenge
I encourage the armchair critics who think they know something about
web app security to break into Exim Webapp. I am making it very easy
for you to break in by giving you all of the following details which
hackers usually do not have.

     Access URL: http://mail.africafocus.org:8180/exim/


     OS:  FreeBSD 4.8


     Firewall:  None other than the very light one provided by the
     hosting facility (and which does nothing at all to inhibit any
     attack over any tcp transport involved here).


     How it is secured:  EXACTLY as documented at
     http://admc.com/blaine/howtos/exim-webapp/Security.html#Security


This is not some fake, secured setup. This is a real, working mail
server and Exim Webapp installation that I use for africafocus.org.

Now, is anybody foolish enough to broadcast the telnet/ssh address that
you use to remotely run eximon? (Seriously-- don't unless you know
that you have sshd patched and nailed down-- I won't take the time to
break in, but somebody else reading this may).


Please be considerate and keep in mind that the challenge is to break
in through Exim Webapp, not through smtp, etc., since the latter risk
exists regardless of whether eximon, Exim Webap, or any other application
is running on top of Exim. Please don't DOS me!


--
ICF:  703-934-3692       Cell:  703-944-9317