Bugtraq mailing list archives
News Bug
From: pmetzger () lehman com (Perry E. Metzger)
Date: Thu, 24 Feb 1994 23:39:27 -0500
[I am cc:ing this message to Henry Spencer.] In the spirit of full disclosure which the bugtraq list was started: Examination of the cnews control message processing reveals that the scripts used to execute the control messages pass chunks of the contents of those messages to "mail". If your cnews is installed in the default manner on a BSD type system, /bin and /usr/bin come before /usr/ucb in the path for the news executables and /bin/mail is executed -- however, if /usr/ucb comes first in the path because of a nonstandard installation /usr/ucb/mail gets run and tilde escapes, including ~! -- the bad implications of this should be obvious. I do not know if there are similar problems in INN. This is apparently the security hole that some people have been obliquely discussing. What to do: 1) If /bin and /usr/bin are in the path of your news scripts first, you have nothing immediately to worry about. You might apply the following fixes anyway. 2) Most safely, replace references to "mail" with "/bin/mail". 3) Slightly less safely, assure that "/bin" and "/usr/bin" are in the path first. It is entirely possible that there is some way to force these to the end of the path using another trick -- I don't know how this might be done but shell scripts are tricky to plug all holes on. Therefore, I would do 2). 4) No matter what, assure that your scripts run as user "news" or otherwise as a non-root user. This will make sure that the impact of any other holes is minimized. The scripts should already be running this way in an ordinary installation, but yours might not be ordinary. Perry Metzger
Current thread:
- News Bug Perry E. Metzger (Feb 24)