Description

The "read mail" module, allows you to attach a file even
when the user is set to be unable to attach server files
(sorry fot my english)

Impact

I were able to attach /etc/passwd and others files.

Workaround

Setting tighter file permissions.
May be "chrooting" the user could avoid this. In this
particular system I manage, they are not allowed to
login, but they are not "chrooted".

Probably modifing the pl file. But I don't program in perl :-
)

Discussion

Jamie Cameron - 2005-02-02

Logged In: YES
user_id=129364

This is not really a bug, as normal Unix file permissions
still apply, so really critical files like /etc/shadow
cannot be used as a signature. Also, the feature for
attaching server-side files could be used in the same way ..

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jamie Cameron - 2005-02-02

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Signature allows you to attach a system file.

A web-based interface for system administration of UNIX

Group

Searches

Help

#195 Signature allows you to attach a system file.

Description

Impact

Workaround

Discussion