Bugtraq mailing list archives
Re: Security problem in C news and INN
From: rafi () tavor openu ac il (Rafi Sadowsky)
Date: Sat, 26 Feb 1994 16:22:06 +0200 (IST)
Jeroen Scheerder wrote:
At 14:20 24/2/94 -0500, Perry E. Metzger wrote: [...]there are shell scripts in Cnews and INN that pass the message to ucbMail, where one can do ~ escapes.Would simply replacing with /bin/mail fix this?Yes. But binmail doesn't handle aliases since it completely bypasses sendmail (or so I've heard) and doesn't have the '-s' switch, which is relied on (and useful) in news reportings.
eh? why do you think /bin/mail doesn't have aliases ( at least SunOS 4 it does) now on BSD/386 for example /usr/bin/mail is the ucb one - which is probably where the hole comes from ? about the '-s' flag your right but just prepending an 'echo Subject: xxx' should do the trick ( c-news doesn't use '-s' anyhow ) Rafi - TAVOR-rafi (304)>/bin/mail -v usenet usenet... aliased to rafi Subject: test 123
Current thread:
- Re: Security problem in C news and INN Scott D. Yelich (Feb 23)
- Re: Security problem in C news and INN Evil Pete (Feb 24)
- Re: Security problem in C news and INN Perry E. Metzger (Feb 24)
- Re: Security problem in C news and INN Evil Pete (Feb 24)
- syslog security problems Mike Evans (Feb 24)
- Re: Security problem in C news and INN Jeroen Scheerder (Feb 24)
- Re: Security problem in C news and INN Rafi Sadowsky (Feb 26)
- Re: Security problem in C news and INN Robert Crowe (Feb 26)
- Re: Security problem in C news and INN Rafi Sadowsky (Feb 26)
- Re: Security problem in C news and INN hoodr () hoodr slip netcom com (Feb 27)
- Re: Security problem in C news and INN Perry E. Metzger (Feb 24)
- Re: Security problem in C news and INN Evil Pete (Feb 24)
- Re: Security problem in C news and INN Henry Spencer (Feb 25)
- Re: Security problem in C news and INN Casper Dik (Feb 26)