Bugtraq mailing list archives

Re: Security problem in C news and INN

From: hoodr () hoodr slip netcom com (hoodr () hoodr slip netcom com)
Date: Sun, 27 Feb 1994 19:06:34 +0000

In message <199402261422.AA03742 () tavor openu ac il>, Rafi Sadowsky writes:

Jeroen Scheerder wrote:

....

now on BSD/386 for example /usr/bin/mail is the ucb one - which is probably
where the hole comes from ?


I just tested it under NetBSD, which I would suppose also has the ucb one,
and the tilda escapes are *not* processed for non-interactive mailings.  I
feel this is also very likely the case with BSD/386 (I can't test that until
next week sometime).


I get the following from BSDI 1.0's man page:

     -I    Forces mail to run in interactive mode even when input isn't a ter-
           minal.  In particular, the `~' special character when sending mail
           is only active in interactive mode.

Also, SunOS has this interesting flag:

     -r address    Pass address  to  network  delivery  software.
                   All tilde (~) commands are disabled.

Current thread:

Re: Security problem in C news and INN Scott D. Yelich (Feb 23)
- Re: Security problem in C news and INN Evil Pete (Feb 24)
  - Re: Security problem in C news and INN Perry E. Metzger (Feb 24)
    - Re: Security problem in C news and INN Evil Pete (Feb 24)
    - syslog security problems Mike Evans (Feb 24)
    - Re: Security problem in C news and INN Jeroen Scheerder (Feb 24)
    - Re: Security problem in C news and INN Rafi Sadowsky (Feb 26)
    - Re: Security problem in C news and INN Robert Crowe (Feb 26)
    - Re: Security problem in C news and INN Rafi Sadowsky (Feb 26)
    - Re: Security problem in C news and INN hoodr () hoodr slip netcom com (Feb 27)
  - Re: Security problem in C news and INN Rafi Sadowsky (Feb 25)
    - Re: Security problem in C news and INN Henry Spencer (Feb 25)
    - Re: Security problem in C news and INN Casper Dik (Feb 26)