Download eCorrei

Note: eCorrei is no longer developed. Please use another webmail client, like Roundcube, because eCorrei contains bugs and doesn't work properly in newer PHP versions. This site is primarily available for historical reasons.


SECURITY for eCorrei 1.2.5
2 February 2002

This file includes some notes about security and eCorrei.

When a user logges in, the password, username, language and
domain are send over the network in plain text with the
POST method. This can be secured by using a SSL connection.
eCorrei stores its user settings (username, password, etc)
using the session support of PHP. This means these settings
are stored in a small file in the temp directory of your
system, or whatever the session.save_path directive in php.ini
is set to. If you're using a UNIX-like OS (Linux, Unix, FreeBSD,
etc) these files can't be accessed by a normal user. But for
Windows 9x/ME these files aren't protected (you should never
use these operating systems for a webserver anyway). For Windows
NT/2000 I don't know.
The passwords stored in the session files are encrypted by a trivial
encoding function, but it is better than nothing. On a properly
setup server people can't view these files anyway.

eCorrei asks the browser (and proxy servers) to not cache the pages
generated by eCorrei. This is done so other users can't look into
your mailbox using the browsers cache.
When you're using SSL you don't need to worry about caching because
proxies will not cache these pages. When you're planning to use
SSL, change the protocol directive in config.php.

eCorrei checks the session everytime and denies access if the
session data isn't present, so no mail can be sent if you're not
logged in.

In the users directory several settings are stored: name, E-mail
address, and the addressbook. Each user gets a file with the name
"username@inmailserver". Because you probably don't want 
unauthorized users to look into all the data files, you should (if
you can) place this directory somewhere outside the public
directories of the webserver. If you cannot do this, at least secure
this directory with a .htaccess file (included in the distribution)
or use any other way.

You can also protect the data files by changing the ownership of
these files to the user that runs the webserver. Then change the
permissions so the webserver is the onlyone who has the permissions
to write to the users directory. On a UNIX-like system this can be
done like this:
# chown -R nobody:nobody users/
# chmod -R 700 users/
You must be root to be able to do this. In these commands I assumed
nobody is both the group and the user the webserver runs on. Change
it to suit your system. 

To prevent flooding of your server's harddisk, eCorrei has two
configuration options. The first, the maximum size of settings file,
determines the maximum size of the settings file that is created for
every user. The default setting is 512000 bytes (50 kB), which should
be enough for a regular addressbook.
The second option, maximum size of files that can be attached, determines
the maximum total size of files that can be attached to an E-mail. The
default setting is 2097152 bytes (2 MB) which is the same as the default
maximum upload filesize setting of PHP.  

Please make sure you delete the test script check.php, which checks your
PHP environment. This script could give away sensitive information about
your server, so delete it.

  © 2000-2002 by Jeroen Vreuls.
SourceForge.net Logo