 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
Derek Martin <dmartin at lancity.COM> On Fri, 3 Sep 1999, Derek Martin wrote: > On Fri, 3 Sep 1999, Brian Conway wrote: > > > > Install IMAP. It provides the daemons you seek. > > > > And is highly and easily exploitable even on a good day. Seriously > > I was aware of a buffer overflow problem in IMAP, but all my information > (including looking at the CERT advisories) seems to suggest that it has > been fixed since RH 5.2 and for those with older distros there are update > rpms that fix the known vulnerabilities. Incidentally, CERT also had vulnerability report of buffer overflows on qpopper. Jeez; you'd think they have purged gets from all the C libraries by now! ;-) Buffer overflows aside, I did get ipop3d running, dug around in the RFC, and threw together a little tcl testing tool to exercise it remotely. In the process, I got curious about Redhat's (linuxconf's) gimmick for adding POP3 users to the system. It includes options for creating a POP-only user. I suspect that IMAP will work as well, but that wasn't what got me curious. It seemed that they were trying to be reassuring that such a user could do nothing but fetch mail. The use of /bin/false as the shell looks reassuring, and of course a login attempt simply got a new login prompt. So, just for the fun of it, I decided to ftp to the site and tell ftpd that I was the POP-only user. It worked just fine. And I wasn't in with any sort of restricted, anonymous permissions. I could cd to /etc without problem, and could get a copy of any of the files there. Now, a logged-in user can do the same thing, of course, though it's not quite as easy. But as I said, I'd gotten the impression that this was being set up as an email-only account. Not hardly. I spent a little time wandering around in CERT, and asked altavista if it knew anything that combined POP and FTP and security. It did, but they all seemed to be like the first one: "Super Cheap Webhosting, 500 megs, Unlimited POP3's, Unlimited FTP, Only $18.45". Nothing visible resembling a discussion of this potential problem. <sigh> - Subcription/unsubscription/info requests: send e-mail with "subscribe", "unsubscribe", or "info" on the first line of the message body to discuss-request at blu.org (Subject line is ignored).
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
