[3380] in WWW Security List Archive
Re: www web security !
daemon@ATHENA.MIT.EDU (Wolfgang Ley)
Fri Oct 25 15:16:40 1996
From: Wolfgang Ley <ley@cert.dfn.de>
To: alexf@iss.net (Alex Filacchione)
Date: Fri, 25 Oct 1996 19:01:27 +0200 (MET DST)
Cc: www-security@ns2.rutgers.edu
Reply-To: ley@cert.dfn.de (Wolfgang Ley)
In-Reply-To: <01BBC26F.BA0579A0@alexf.iss.net> from "Alex Filacchione" at Oct 25, 96 12:26:18 pm
Errors-To: owner-www-security@ns2.rutgers.edu
-----BEGIN PGP SIGNED MESSAGE-----
Alex Filacchione wrote:
>
> So you are saying that smap is useless? I don't think so. Just because it
> only protects against *most* kinds of errors and not *all* does not mean
> that it will not help people protect themselves. I just won't help them
> with data-driven attacks. As I am sure you know, data driven attacks (such
> as the recent buffer overflow problems) are not sendmail's ONLY problems.
I'm not aware of any attack that will work against up-to-date sendmail
versions but will be prevented by using smap. smap only changes direct
SMTP remote access to sendmail to an indirect way. So what does this
help you? I won't say that it protects you against "*most* kinds of errors"
but would say it protects you against some known kinds of errors which
are also already fixed in current sendmail implementations.
I'm also not aware of a MIME security bug in the ESMTP protocol (please let
me know if there is one). The bug in sendmail 8.8.0/8.8.1 was MIME related,
but was triggered by an automated MIME transformation of the *body* and
I'm not sure if that could be blocked with smap.
The security bugs covered by smap (illegal sender or receipient addresses)
are already fixed in sendmail itself. And as you said smap "just won't help
them with data-driven attacks". So currently I'm not sure if using smap is
a good security advice or not. It may help you against some unknown attacks
in the ESMTP handling of sendmail but it also gives you the danger of
additional security problems because you're now using an additional
program which may contain bugs, too.
Another problem is the wrong feeling of "being secure" when using smap.
Some people might start to think that they can be more relaxed fixing
sendmail security problems "because we're using smap...". Of course this
is an educational problem and not a problem of smap or sendmail, but I do
have some expierences with such peoples (like "we do have a firewall so
we are secure").
Bye,
Wolfgang.
- --
Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany
Email: ley@cert.dfn.de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241
PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via
WWW from http://www.cert.dfn.de/~ley/ ...have a nice day
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQCVAwUBMnDyZAQmfXmOCknRAQFNWAQAmd7qs/q5Nx5LwKu/w6Bu434O0wFyiKow
b8BZitb97eodGydyHo0lbrHzbtbhq5Du/9Mg0bQJdBG8K/yubywWcFuCRzpPWG6Z
D7I3GcQ0a3XMe4QZqSG1HVuNTj4e/hd/RGxmWS+srONr+LKx1Co6wzrvY+91C4Zz
4dkAp4b5bnc=
=ydQw
-----END PGP SIGNATURE-----
