[3352] in WWW Security List Archive
RE: www web security !
daemon@ATHENA.MIT.EDU (Alex Filacchione)
Wed Oct 23 20:29:48 1996
From: Alex Filacchione <alexf@iss.net>
To: "'hallam@ai.mit.edu'" <hallam@ai.mit.edu>,
"www-security@ns2.rutgers.edu" <www-security@ns2.rutgers.edu>
Date: Wed, 23 Oct 1996 17:37:57 -0400
Errors-To: owner-www-security@ns2.rutgers.edu
>Re: Sendmail. The latest, 8.8, is vulnerable. The vulnerability was
>posted to bugtraq and BoS on the 17th.
Re sendmail, just do not use this piece of incompetent software. If
you must have a mailer on the machine at all run one that was
written by someone who is marginaly competent.
There are solutions. TIS (Trusted Information Systems) has the FWTK
(FireWall Toll Kit) which can be downloaded for free. Even if you don't
use the firewall itself, it comes with two programs, smap and smapd. These
interact with sendmail and act as a front end. This disallows any direct
contact with sendmail, making attacks such as the recent buffer overflow
attacks essentailly useless from the hacker's point of view. Smap is what
the outsider talks to, and you can't really get any info from it. It takes
the mail and stores it somewhere on the machine. Then smapd comes along
(from the inside net) and grabs the mail from smap, and passes it to
sendmail on the inside, which distributes it. You are essentially proxying
the email before it gets to sendmail. This only leaves you open to mail
reader specific types of attacks. Products like MIMESweeper may help check
MIME encoded mail, but I really don't know enough about MIMESweeper to
comment on it further. I don't know if it is freeware, shareware, or a
commercial product, or who makes it or anything. I just know that it
exists. If someone else knows more about it maybe they can post some info?
Alex F
alexf@iss.net
webmaster/security training
