[prev in list] [next in list] [prev in thread] [next in thread]
List: listar-dev
Subject: [EDev] Re: Potential vulnerability -- who to contact?
From: Matthias Kilian <kili () outback ! escape ! de>
Date: 2006-01-15 11:44:27
Message-ID: 20060115114427.GA8797 () petunia ! outback ! escape ! de
[Download RAW message or body]
On Sun, Jan 15, 2006 at 02:40:22AM -0800, Robin Lee Powell wrote:
> > Who should I contact?
>
> Us.
>
> What's up?
It's a simple conceptional problem with pantomime: when pantomime-dir
is set, ecartis strips attachments not only from mails to
<$list>@<$hostname>, but also, from mails to <$list>-request@<$hostname>,
and may be from mails to other administrative addresses -- I did
only check for -request@.
This means that anyone could abuse ecartis lists with pantomime for
distributing arbitrary (illegal) content without beeing subscribed
to any mailinglist (even if all lists are closed-post) and without
the list-owner and anyone else noticing.
A solution would be to pantomime *only* on the mailing lists, not
on administrative addresses.
Ciao,
Kili
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic