[12829] in bugtraq
Re: serious Qpopper 3.0 vulnerability
daemon@ATHENA.MIT.EDU (M. Adam Kendall)
Thu Dec 2 16:04:34 1999
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0
Message-Id: <199912011802.NAA13657@mail.roava.net>
Date: Wed, 1 Dec 1999 13:12:39 -0500
Reply-To: "M. Adam Kendall" <mak@KHA0S.ORG>
From: "M. Adam Kendall" <mak@KHA0S.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <0b6001bf3b5b$e42d4ce0$16e1fcce@adhara.bigsky.net>
On 30-Nov-1999 Josh Higham wrote:
>>PS: The installation file suggests to run qpopper without tcpd, e.g.:
>>pop3 stream tcp nowait root /usr/local/lib/qpopper qpopper -s
>>I would NOT suggest doing it that way. Use:
>
> Does anyone know why qpopper suggests running without wrappers?
It doesn't suggest running it without wrappers.. it just doesn't suggest
that you DO. Like most documentation, it doesn't assume you are running
anything but their software, and therefore doesn't specifically mention
the use of wrappers. How are they supposed to know that YOU (specifically)
happen to have something else installed?
Hell, even those vendors that DO know you have wrappers installed
don't mention anything about it. Those are the folks that you should
be 'scolding'. Just as a case in point, from a stock RH6.1 box:
#linuxconf stream tcp wait root /bin/linuxconf linuxconf --http
*sigh*
--
M. Adam Kendall |
mak@kha0s.org | "There's never enough time to do
http://kha0s.org | all the nothing you want."
| --Bill Watterson (Calvin and Hobbes)
