Bugtraq mailing list archives
Re: SECURITY HOLE: FormMail
From: Andrew.Macpherson () bnr co uk (Andrew Macpherson)
Date: Sat, 5 Aug 1995 07:58:04 +0100
Christian Wettergren wrote: | I don't know about smail and pp though. The key here is however that | it is _legitimate_ requests for _features_ that is the problem, not | any bugs. (I usually phrase this as thought-of "pure" data that is | actually containing meta-data syntax escapes.) I'm not 100% sure about smail. PP will only deliver to programs which the administrator has configured in 2 different tables --- The program *must* be accessed via a label (join key) in both the users' table, and the shell table, or from the user's mailfilter file. The user-of-execution is specified in the shell table, or is the owner of the mailfilter, and altogether one feels fairly happy about pp and program delivery, because the programs are all under local control. It is impossible for the submitter to specify a program. As for sendmail: well we have had bug-of-the-week from that for so long now... the least one expects is the administrator has installed the checking program on the program channel. Personally I will not touch it anywhere where delivery can be effected. -- Andrew.Macpherson.1248566 () bnr co uk - or - andrew () bnr ca "Northern Telecom has committed to a 30% reduction in its use of paper by the year 2000." No faxes, or printouts please, just e-mail.
Current thread:
- Re: PERL (was: Re: SECURITY HOLE: FormMail), (continued)
- Re: PERL (was: Re: SECURITY HOLE: FormMail) Philip Guenther (Aug 07)
- Guidelines for cgi-bin scripts Lee Silverman (Aug 08)
- Re: Guidelines for cgi-bin scripts Dave Andersen (Aug 08)
- Re: Guidelines for cgi-bin scripts Christian Wettergren (Aug 09)
- Re: SECURITY HOLE: FormMail Andrew Macpherson (Aug 03)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 04)
- Re: SECURITY HOLE: FormMail Neil Woods (Aug 05)
- More holes, was: Re: SECURITY HOLE: FormMail Ivo (Aug 05)
- My email handler, ~ escapes, etc. Tom (Aug 05)
- Simple CGI email handler, fixed Tom (Aug 05)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 04)
- Re: SECURITY HOLE: FormMail Andrew Macpherson (Aug 04)
- Re: SECURITY HOLE: FormMail Jukka Ukkonen (Aug 07)