The following new message has been posted on Phorm Support Forum at <http://www.phorm.com/support/>. *************************************************************************** MESSAGE: (#3796) Re: Security Hole <http://www.phorm.com/support/?rev=3796> AUTHOR: Holotech DATE: March 3, 2004 at 8:29 a.m. EST Reply To: (#3793) Security Hole Author: superwebgirl Date: March 2, 2004 at 8:31 a.m. EST > I am by NO MEANS an expert in this area, but I did > notice that if you do not put an "index.html" file in > each of the directories, they are vulnerable to being > downloaded. I wouldn't really call this a security hole. All it does is allow someone to see what files are there, via a browser. All the files and directories there need to be accessible to Phorm, which means that you either have the permissions open (in which case you shouldn't have any sensitive information in any viewable files such as text logs; PHP files are not viewable), or you are running Phorm under your user ID, and the file permissions are closed (ideal scene). Of course, if you have directory permissions open, an index.html file won't stop someone else on your server from viewing their contents, and if you have file permissions open, all files are viewable to others on your server (assuming you're on a shared server). Someone viewing your plugins directory can see what plugins you have installed, but all plugins are designed to run only when called from Phorm. I think I will expand the "Security Considerations" section of the documentation with the next release. *************************************************************************** This is an automatically-generated notice. If you'd like to be removed from the mailing list, please visit Phorm Support Forum at <http://www.phorm.com/support/>, or send your request to webbbs@xxxxxxxxxx If you wish to respond to this message, please post your response directly to the board. Thank you! ------------------------------------------------- You are receiving this message because you are subscribed to the Phorm mailing list. To send messages to the mailing list, simply send email to phorm@xxxxxxxxxxxxx from the address you have subscribed. You may unsubscribe from the list by sending email to phorm-request@xxxxxxxxxxxxx with 'unsubscribe' in the SUBJECT field.