[prev in list] [next in list] [prev in thread] [next in thread] 

List:       listar-dev
Subject:    [EDev] Re: Potential vulnerability -- who to contact?
From:       Matthias Kilian <kili () outback ! escape ! de>
Date:       2006-01-19 21:56:06
Message-ID: 20060119215606.GA30577 () petunia ! outback ! escape ! de
[Download RAW message or body]

On Thu, Jan 19, 2006 at 12:14:58AM -0800, Blars Blarson wrote:
> >This means that anyone could abuse ecartis lists with pantomime for
> >distributing arbitrary (illegal) content without beeing subscribed
> >to any mailinglist (even if all lists are closed-post) and without
> >the list-owner and anyone else noticing.
> 
> What does pantomime do with messages waiting for moderator approval?
> Having those available would be bad also.

Yes, I just could confirm this with the (outdated) snapshot 20050909
for a list with closed-post = true.

> >A solution would be to pantomime *only* on the mailing lists, not
> >on administrative addresses.
> 
> A possible workaroud for now would be to have pantomime decode into a
> restricted directory, and manually move approved attachments to an
> accessable one.

Well, as noted, with newer snapshots, I didn't yet get pantomime
to work at all.

In any case, could someone at least try to reproduce the problem
with ecartis-20050909? Just to be sure I've not screwed up anything
else or that it's some weird porting error (I'm running this on
OpenBSD).

Ciao,
	Kili

-- 
|---------------------------------------|
|   Crystalballerror in module Future.  |
|      [Protest] [heftiger Protest]     |
|---------------------------------------|  Nils Ketelsen in de.alt.admin

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic