[prev in list] [next in list] [prev in thread] [next in thread] 

List:       listar-dev
Subject:    [EDev] Re: Potential vulnerability -- who to contact?
From:       Matthias Kilian <kili () outback ! escape ! de>
Date:       2006-01-15 11:44:27
Message-ID: 20060115114427.GA8797 () petunia ! outback ! escape ! de
[Download RAW message or body]

On Sun, Jan 15, 2006 at 02:40:22AM -0800, Robin Lee Powell wrote:
> > Who should I contact?
> 
> Us.
> 
> What's up?

It's a simple conceptional problem with pantomime: when pantomime-dir
is set, ecartis strips attachments not only from mails to
<$list>@<$hostname>, but also, from mails to <$list>-request@<$hostname>,
and may be from mails to other administrative addresses -- I did
only check for -request@.

This means that anyone could abuse ecartis lists with pantomime for
distributing arbitrary (illegal) content without beeing subscribed
to any mailinglist (even if all lists are closed-post) and without
the list-owner and anyone else noticing.

A solution would be to pantomime *only* on the mailing lists, not
on administrative addresses.

Ciao,
	Kili

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic