[prev in list] [next in list] [prev in thread] [next in thread]
List: listar-dev
Subject: [EDev] Re: Potential vulnerability -- who to contact?
From: Matthias Kilian <kili () outback ! escape ! de>
Date: 2006-01-19 21:56:06
Message-ID: 20060119215606.GA30577 () petunia ! outback ! escape ! de
[Download RAW message or body]
On Thu, Jan 19, 2006 at 12:14:58AM -0800, Blars Blarson wrote:
> >This means that anyone could abuse ecartis lists with pantomime for
> >distributing arbitrary (illegal) content without beeing subscribed
> >to any mailinglist (even if all lists are closed-post) and without
> >the list-owner and anyone else noticing.
>
> What does pantomime do with messages waiting for moderator approval?
> Having those available would be bad also.
Yes, I just could confirm this with the (outdated) snapshot 20050909
for a list with closed-post = true.
> >A solution would be to pantomime *only* on the mailing lists, not
> >on administrative addresses.
>
> A possible workaroud for now would be to have pantomime decode into a
> restricted directory, and manually move approved attachments to an
> accessable one.
Well, as noted, with newer snapshots, I didn't yet get pantomime
to work at all.
In any case, could someone at least try to reproduce the problem
with ecartis-20050909? Just to be sure I've not screwed up anything
else or that it's some weird porting error (I'm running this on
OpenBSD).
Ciao,
Kili
--
|---------------------------------------|
| Crystalballerror in module Future. |
| [Protest] [heftiger Protest] |
|---------------------------------------| Nils Ketelsen in de.alt.admin
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic