Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Security problem in C news and INN
From: rafi () tavor openu ac il (Rafi Sadowsky)
Date: Sat, 26 Feb 1994 16:22:06 +0200 (IST)

Jeroen Scheerder wrote:

At 14:20 24/2/94 -0500, Perry E. Metzger wrote:


there are shell scripts in Cnews and INN that pass the message to
ucbMail, where one can do ~ escapes.

Would simply replacing with /bin/mail fix this?

Yes. But binmail doesn't handle aliases since it completely bypasses
sendmail (or so I've heard) and doesn't have the '-s' switch, which is
relied on (and useful) in news reportings.
eh? why do you think /bin/mail doesn't have aliases ( at least SunOS 4 it does)
now on BSD/386 for example /usr/bin/mail is the ucb one - which is probably
where the hole comes from ?

about the '-s' flag your right but just prepending an 'echo Subject: xxx'
should do the trick ( c-news doesn't use '-s' anyhow )

TAVOR-rafi (304)>/bin/mail -v usenet
usenet... aliased to rafi
Subject: test

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]