Date: Mon, 17 Apr 2000 20:04:36 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: "Michael S. Fischer" <michael@dynamine.net> Cc: security@FreeBSD.org Subject: Re: Fw: Re: imapd4r1 v12.264 Message-ID: <Pine.BSF.4.21.0004172002040.96730-100000@freefall.freebsd.org> In-Reply-To: <00ae01bfa8d7$ad5188a0$7f00800a@corp.auctionwatch.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 17 Apr 2000, Michael S. Fischer wrote:
> Are you saying that remotely giving access to the user's account isn't bad
> enough? In my environment, certain users have sudo access...
No, I'm saying that in some (perhaps most) environments the user already
has shell access to the machine, so it's not a risk (if my interpretation
of the vulnerability is correct). If you have a machine which doesn't
allow shell access, but serves users with imap, then they can exploit the
vulnerability to gain shell access to the machine. Note that you need to
successfully log into an account on the imap server to exploit the
problem, which means knowing the password.
Kris
----
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0004172002040.96730-100000>