Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Security problem in C news and INN
From: pmetzger () lehman com (Perry E. Metzger)
Date: Thu, 24 Feb 1994 11:15:38 -0500


This is bugtraq, not some CERT list. Would someone please explain how
this hole works? I run C News, not INN, and I can't feel secure unless
I can check the bug on my own.

Perry

Casper Dik says:

Maybe I'm the last person on the planet to realize this.....  is it common
knowledge that there's a *major* security hole in both C news performance
release, and old versions of INN?

If anyone doesn't know what I'm talking about, then you may want to disable
newgroup and checkgroups processing from C news (performance release), and
disable processing of ALL control messages except cancel from INN.  Disable
them <completely>, best with an "exit 0" at the first line of all
appropriate scripts.  Do not attempt to interpret or process these articles
in any way.  Don't do _anything_ with these articles except ignore them.
This is overkill, but anything more specific would be too much of a
giveaway.

If you use INN, you can get inn1.4.sec from ftp.uu.net.
It fixes this problem.
I'm not sure that disabling all control messages except cancel
actually works.

Casper



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault