[3378] in WWW Security List Archive
RE: www web security !
daemon@ATHENA.MIT.EDU (Alex Filacchione)
Fri Oct 25 14:43:57 1996
From: Alex Filacchione <alexf@iss.net>
To: "'Wolfgang Ley'" <ley@cert.dfn.de>
Cc: "www-security@ns2.rutgers.edu" <www-security@ns2.rutgers.edu>
Date: Fri, 25 Oct 1996 12:26:18 -0400
Errors-To: owner-www-security@ns2.rutgers.edu
----------
From: Wolfgang Ley[SMTP:ley@cert.dfn.de]
Sent: Thursday, October 24, 1996 4:31 AM
To: Alex Filacchione
Cc: www-security@ns2.rutgers.edu
Subject: Re: www web security !
Completly wrong. I don't know why people are trusting smap/smapd to protect
you against sendmail errors. As you already said: that software is just the
frontend that talks to the user - it then happily passes the mail to
sendmail.
The buffer overflow bug/exploit in sendmail 8.8.0 worked just fine with
smap
as "protection"...
=-=-=-=-
As I said I was only aware of the MIME related problem. I did not realize
that there was a buffer overflow problem with 8.8.0 as well. Completely
wrong? I would not go that far... but your point is taken. Smap (and I
believe upas) can not prevent "Data driven attacks." Data needs to be sent
through or mail won't get anywhere. Smap also won't allow ESMTP, including
MIME extentions. It is not a be-all-end-all solution, however, in many
cases it is better than nothing. I never touted it as a "silver bullet"
for sendmail problems, sorry if it came accross that way.
=-=-=-=-
Please recheck your security tips to ensure that they will actually help
people to protect themself.
=-=-=-
So you are saying that smap is useless? I don't think so. Just because it
only protects against *most* kinds of errors and not *all* does not mean
that it will not help people protect themselves. I just won't help them
with data-driven attacks. As I am sure you know, data driven attacks (such
as the recent buffer overflow problems) are not sendmail's ONLY problems.
=-=-=-
I also don't think that sendmail problems (like
a whole bunch of other topics in the past) should be discussed on a
*www*-security mailing list.
=-=-=-
Actually it was the result of a WWW Security-related thread. Although I
agree that it is not necessarily on topic for the list, it is still
educational, and I am not one to answer a WWW security related question,
and then when it moves to a tangent say "I know the answer, but I will NOT
give it to you since it is not WWW related." People are on this list to
learn (including myself), and if a WWW-related conversation goes a little
off topic but it still relates somewhat and is educational then so be it.
At least people are learning (hopefully). Isn't that what it's all about
anyway? I don't think one should abruptly halt the learning process just
because the topic strays slightly. Maybe I'm the only one.
Alex F
