From owner-freebsd-security  Thu Sep 10 14:30:44 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA01141
          for freebsd-security-outgoing; Thu, 10 Sep 1998 14:30:44 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from indigo.ie (ts02-010.dublin.indigo.ie [194.125.134.140])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA01107
          for <security@FreeBSD.ORG>; Thu, 10 Sep 1998 14:30:25 -0700 (PDT)
          (envelope-from rotel@indigo.ie)
Received: (from nsmart@localhost)
	by indigo.ie (8.8.8/8.8.7) id WAA01790;
	Thu, 10 Sep 1998 22:21:04 +0100 (IST)
	(envelope-from rotel@indigo.ie)
From: Niall Smart <rotel@indigo.ie>
Message-Id: <199809102121.WAA01790@indigo.ie>
Date: Thu, 10 Sep 1998 22:21:04 +0000
In-Reply-To: <35F818CA.8647A116@dal.net>; Studded <Studded@dal.net>
Reply-To: rotel@indigo.ie
X-Files: The truth is out there
X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96)
To: Studded <Studded@dal.net>, Michael Richards <026809r@dragon.acadiau.ca>
Subject: Re: cat exploit
Cc: security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sep 10, 11:22am, Studded wrote:
} Subject: Re: cat exploit
> Michael Richards wrote:
> > 
> > Hi.
> > 
> > Is it just me or did everyone miss the point of Jay's message?
> 
> 	It seems to me that a lot of people missed the point of one of the
> warnings that someone else posted in response actually.  Don't use cat
> routinely to view files. Use more, or better yet less since less doesn't
> view binary files by default.

The "well don't do that then" response is not the correct solution
to this problem.  The issue is that the terminal emulator doesn't
have an option to disable the features which are dangerous (which
should be disabled by default).  This is a subtle attack which can
be prevented against in this way with far greater effectiveness
than relying on the administrator/user to understand and remember
the potential for exploitation present in seemly innocuous actions.

Perhaps someone will now be prompted to make the necessary changes. :)

Niall

-- 
Niall Smart, rotel@indigo.ie.
Amaze your friends and annoy your enemies:
echo '#define if(x) if (!(x))' >> /usr/include/stdio.h

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message