[3388] in WWW Security List Archive
RE: www web security !
daemon@ATHENA.MIT.EDU (Alex Filacchione)
Mon Oct 28 13:48:07 1996
From: Alex Filacchione <alexf@iss.net>
To: "'ley@cert.dfn.de'" <ley@cert.dfn.de>
Cc: "www-security@ns2.rutgers.edu" <www-security@ns2.rutgers.edu>
Date: Mon, 28 Oct 1996 11:07:45 -0500
Errors-To: owner-www-security@ns2.rutgers.edu
I'm not aware of any attack that will work against up-to-date sendmail
versions but will be prevented by using smap. smap only changes direct
SMTP remote access to sendmail to an indirect way. So what does this
help you? I won't say that it protects you against "*most* kinds of errors"
but would say it protects you against some known kinds of errors which
are also already fixed in current sendmail implementations.
=-=-=-=-
You are correct. The reason I stated what I did is simply because of
this... How many people do you know that have the latest sendmail update?
Being in the security industry probably a lot, but out of the total
machines out there, not that many are totally up-to-date. Getting SMAP is
the LEAST that one should do. Yes, keeping current on sendmail is better
at this point (esp. in the last few months), but think about this...
sendmail (lately) has only been vulnerable to buffer overflow types of
attacks *recently*. In the very recent past (what, about June or so?)
there were other bugs that could be exploited. Smap *would* have helped
against those. While Smap may not be able to protect against recent
attacks it was a form of protection that was reasonable until recently. I
would rather see someone with an old sendmail upgrade, but if they do not
do that (for one reason or another) the very least that they can do is use
Smap (or something like it) to at least limit their attackers information
(vers.) and attacks. Like I said, it is by no means a silver bullet. You
are correct in mentioning that it should not lead to a false sense of
security, Personally, however, I think that firewalls lead to a false
sense of security to a much greater degree, but that's another thread :)
In regards to ESMTP, it is not supported by Smap as far as I know.
Later,
Alex F
alexf@iss.net
webmaster/security training
