release-msg.cgi security

[tmarquespt]

Hi all,

I've been using E.F.A. for some time now and I still have some working ESVA setups running at a few sites.
If I recall correctly, a major security breach in the cgi that allowed to release messages marked as spam (I'm talking about ESVA) forced us to close all http/https connections from the exterior and allow them only from within the network (or via vpn). From a security point-of-view it's nice, but it's a huge pain in the @ss to the user side.

I was wondering if those issues have been solved in EFA or if allowing https from the outside is still a huge concern (I say huge because it's always a concern).
thanks in advance.

Tiago Marques

[darky83]

That issue with the broken cgi in esva has been fixed, we use a token system and use input validation to make sure this won't happen again.

[tmarquespt]

ah great to know.
thanks for the great work with EFA.

TM

[shawniverson]

Also, EFA supports Trusted Networks for additional security (off by default).