From: Craig A Summerhill (craig@cni.org)
Date: Fri Jul 30 1999 - 11:27:52 CDT
On Fri, 30 Jul 1999, Daniel Stenberg <daniel.stenberg@sth.frontec.se> wrote:
>
> On Fri, 2 Jul 1999, Paul Haldane wrote:
> >
> > Some sites (alright at least one site that I know well) are cautious
> > about deploying the new version of hypermail with the ability to make
> > ready decoded attachments available. Concerns relate to the possibility
> > of a file infected with a macro virus being sent as an attachment and
> > then 'run' directly from the web site.
>
> This concern comes up every now and then. I don't understand the
> reason for this worry. Could someone please share their wisdom and
> thell me a fully possible way to attack a PROPERLY setup web server
> this way?
As Paul already noted, there are other concerns (macro viruses, etc.)
However, a properly configured http server could still be subjected
to malevolent actions by an attached CGI script if the server was
configured to allow .htaccess files to override global parameters
*and* if the same person also sent an attached .htaccess file
containing the settings (ExecCGI) s/he desired to enabled in the
given directory.
I realize that there are ways to prevent this problem to (for instance
the installation of a .htaccess file with 0400 permissions in any
directory where attachments will be uncompressed). I think the bottom
line is a) programming hypermail not to make any *really* stupid moves,
and b) documenting a suggested best practice explaining how to avoid
potential vulnerabilities. You can't force people to read your
recommended configuration guidelines, but at least you can point to
them when somebody complains they weren't adequately warned...
-- Craig A. Summerhill, Systems Coordinator and Program Officer Coalition for Networked Information 21 Dupont Circle, N.W., Washington, D.C. 20036 Internet: craig@cni.org AT&Tnet (202) 296-5098