Response to Xato Command-line Mailer Security Advisory

[Jeffry Dwight <jeffry.dwight () GREYWARE COM>]

Dear Friends:

Last week, Xato (http://www.xato.net/) issued a security advisory to the
public, noting several problems with a handful of (presumably) popular
command-line mailer programs used on web sites.  Xato's concerns centered
around misuse of these products by malicious visitors to web sites that
employ these tools.  Xato discovered several glaring security problems with
the first several products tested, and issued a preliminary security
advisory immediately.  Unfortunately, Xato's advisory did not say which
tools had which problems, giving the impression that the entire cadre of
web-enabled command-line mailers was seriously flawed.  The advisory was
further marred because not all of the tools mentioned were even designed to
be used on web servers as CGI programs, yielding even more confusion among
the vendors scrambling to either fix or repudiate Xato's findings.

Greyware's product, Comments, was among the programs listed in Xato's
advisory.  Comments is a CGI form-to-email tool with extensive security
features that have been present for years.  The majority of the flaws
mentioned in Xato's advisory do not, and never did, apply to Comments.
However, after discussing the advisory with Mark Burnett of Xato, we agreed
that a few areas of Comments could be improved.  We have addressed these
issues -- primarily tightening of the default security setup, rather than
relying on the system administrator to follow good practices -- and added
some new registry settings for sites that need to be locked down even more
completely.  We have also gone through our online documentation to ensure
that security practices and concerns are identified and addressed as clearly
as possible.  Version 1.8 of Comments was released today, 21 December 2000,
and all of our registered customers were notified of the upgrade.

While no product is ever perfect, we believe Comments is safe to use if the
directions are followed.  Even previous versions presented an acceptable
tradeoff between utility and risk -- the only truly safe system is an
unplugged system -- as long as the web site administrator followed industry
best practices and configured our program accordingly.  We are pleased,
however, at this opportunity to make our product even safer.  Please see our
online documentation at http://www.greyware.com/software/comments/ for a
list of security enhancements in version Comments 1.8.  We gave credit to
Xato for brining these concerns to our attention.

I respectfully submit, however, that the user community would be better
served by more formal advisories -- advisories that spell out which products
have which problems, give the vendors a reasonable chance to respond before
the advisory is issued, and include the steps to reproduce the problem.
Without these elements, vendors won't know which advisories to take
seriously, and consumers will lose faith in advisories altogether.  A delay
of 24 hours to contact the vendors and double-check the suspected problems,
especially when issuing an advisory concerning programs that have been in
use on web servers for years, is not unreasonable.  The tendency to panic
and shout "Wolf!" when all we see is a gleam in the dark, is quite natural,
but needs to be tempered with restraint and meticulous investigation.

Sincerely,

Jeffry Dwight, CEO
Greyware Automation Products
3300 Big Horn Trail
Plano, TX  75075
Voice:  972-867-2794
Fax:  972-599-9175
Tech Support:  techsupport () greyware com