Re: [SM-PLUGINS] G/PGP plugin

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

carst wrote:
> 
> 
> Tomas Kuliavas wrote:
>> 
>> old plugin version has at least three security issues, serious
>> performance/memory problem with keyrings that have trusted keys,
>> hardcoded delays that will piss any user and more.
>> 
> 
> Are those issues so fundamental, that it doesn't make sense to rewrite the
> old plugin and write a new one instead?
> 
XSS and file deletion problems are simple enough and they can be fixed
easily, if you know where they are. I think bugtraq report has enough
information about them. even if bugtraq does not disclose it, "file
deletion" can be performed only with some PHP commands.

Remote execution issue is different beast and if you can't get report
information from Stephen Escher, you will be forced to review and sanitize
every call to be safe. That's lots of calls and lots of legacy cruft.

For me it took three months and Zend Studio Pro license to review plugin.
Some changes required changes in webmail itself. 
-- 
View this message in context: http://old.nabble.com/G-PGP-plugin-tp33722382p33740149.html
Sent from the squirrelmail-plugins mailing list archive at Nabble.com.