Bugtraq mailing list archives
Response to Xato Command-line Mailer Security Advisory
From: Jeffry Dwight <jeffry.dwight () GREYWARE COM>
Date: Thu, 21 Dec 2000 21:32:48 -0600
Dear Friends: Last week, Xato (http://www.xato.net/) issued a security advisory to the public, noting several problems with a handful of (presumably) popular command-line mailer programs used on web sites. Xato's concerns centered around misuse of these products by malicious visitors to web sites that employ these tools. Xato discovered several glaring security problems with the first several products tested, and issued a preliminary security advisory immediately. Unfortunately, Xato's advisory did not say which tools had which problems, giving the impression that the entire cadre of web-enabled command-line mailers was seriously flawed. The advisory was further marred because not all of the tools mentioned were even designed to be used on web servers as CGI programs, yielding even more confusion among the vendors scrambling to either fix or repudiate Xato's findings. Greyware's product, Comments, was among the programs listed in Xato's advisory. Comments is a CGI form-to-email tool with extensive security features that have been present for years. The majority of the flaws mentioned in Xato's advisory do not, and never did, apply to Comments. However, after discussing the advisory with Mark Burnett of Xato, we agreed that a few areas of Comments could be improved. We have addressed these issues -- primarily tightening of the default security setup, rather than relying on the system administrator to follow good practices -- and added some new registry settings for sites that need to be locked down even more completely. We have also gone through our online documentation to ensure that security practices and concerns are identified and addressed as clearly as possible. Version 1.8 of Comments was released today, 21 December 2000, and all of our registered customers were notified of the upgrade. While no product is ever perfect, we believe Comments is safe to use if the directions are followed. Even previous versions presented an acceptable tradeoff between utility and risk -- the only truly safe system is an unplugged system -- as long as the web site administrator followed industry best practices and configured our program accordingly. We are pleased, however, at this opportunity to make our product even safer. Please see our online documentation at http://www.greyware.com/software/comments/ for a list of security enhancements in version Comments 1.8. We gave credit to Xato for brining these concerns to our attention. I respectfully submit, however, that the user community would be better served by more formal advisories -- advisories that spell out which products have which problems, give the vendors a reasonable chance to respond before the advisory is issued, and include the steps to reproduce the problem. Without these elements, vendors won't know which advisories to take seriously, and consumers will lose faith in advisories altogether. A delay of 24 hours to contact the vendors and double-check the suspected problems, especially when issuing an advisory concerning programs that have been in use on web servers for years, is not unreasonable. The tendency to panic and shout "Wolf!" when all we see is a gleam in the dark, is quite natural, but needs to be tempered with restraint and meticulous investigation. Sincerely, Jeffry Dwight, CEO Greyware Automation Products 3300 Big Horn Trail Plano, TX 75075 Voice: 972-867-2794 Fax: 972-599-9175 Tech Support: techsupport () greyware com
Current thread:
- Response to Xato Command-line Mailer Security Advisory Jeffry Dwight (Dec 22)