Hacker News new | past | comments | ask | show | jobs | submit login

Speaking of Roundcube: If you're hosting it without apache (as in: without htaccess support), make sure the logs directory and files aren't exposed publicly. They can contain access tokens and even encrypted passwords (encrypted with a default password unless manually changed during installation), and follow a known file structure, so it's quite common for people to get owned this way.



> ~~If you're hosting it without apache (as in: without htaccess support),~~ make sure the logs directory and files aren't exposed publicly.

Never expose any logs to strangers for anything anywhere


Sure, that’s always sound advice. However, most projects are usually designed in a way that their logs are either not exposed at all (due to not being in the webroot for example), or have measurements in place to avoid exposing them (like WordPress for example). Roundcube just puts them there and you have to actively think about excluding them from your webserver configuration. Plus, they dump really sensitive information in there by default. That’s why I wanted to explicitly point it out in this case.


Can you configure Roundcube to store them outside the webroot?


If you're running Roundcube on its own subdomain, you just set the webroot to the "public_html" subfolder and then nothing else is accessible.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: