mailing list archives
From: pmetzger () lehman com (Perry E. Metzger)
Date: Thu, 24 Feb 1994 23:39:27 -0500
[I am cc:ing this message to Henry Spencer.]
In the spirit of full disclosure which the bugtraq list was started:
Examination of the cnews control message processing reveals that the
scripts used to execute the control messages pass chunks of the
contents of those messages to "mail". If your cnews is installed in
the default manner on a BSD type system, /bin and /usr/bin come before
/usr/ucb in the path for the news executables and /bin/mail is
executed -- however, if /usr/ucb comes first in the path because of a
nonstandard installation /usr/ucb/mail gets run and tilde escapes,
including ~! -- the bad implications of this should be obvious.
I do not know if there are similar problems in INN.
This is apparently the security hole that some people have been
What to do:
1) If /bin and /usr/bin are in the path of your news scripts first,
you have nothing immediately to worry about. You might apply the
following fixes anyway.
2) Most safely, replace references to "mail" with "/bin/mail".
3) Slightly less safely, assure that "/bin" and "/usr/bin" are in the
path first. It is entirely possible that there is some way to force
these to the end of the path using another trick -- I don't know
how this might be done but shell scripts are tricky to plug all
holes on. Therefore, I would do 2).
4) No matter what, assure that your scripts run as user "news" or
otherwise as a non-root user. This will make sure that the impact
of any other holes is minimized. The scripts should already be
running this way in an ordinary installation, but yours might not
- News Bug Perry E. Metzger (Feb 25)