Date: Mon, 17 Apr 2000 20:04:36 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: "Michael S. Fischer" <michael@dynamine.net> Cc: security@FreeBSD.org Subject: Re: Fw: Re: imapd4r1 v12.264 Message-ID: <Pine.BSF.4.21.0004172002040.96730-100000@freefall.freebsd.org> In-Reply-To: <00ae01bfa8d7$ad5188a0$7f00800a@corp.auctionwatch.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 17 Apr 2000, Michael S. Fischer wrote: > Are you saying that remotely giving access to the user's account isn't bad > enough? In my environment, certain users have sudo access... No, I'm saying that in some (perhaps most) environments the user already has shell access to the machine, so it's not a risk (if my interpretation of the vulnerability is correct). If you have a machine which doesn't allow shell access, but serves users with imap, then they can exploit the vulnerability to gain shell access to the machine. Note that you need to successfully log into an account on the imap server to exploit the problem, which means knowing the password. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <forsythe@alum.mit.edu> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0004172002040.96730-100000>