Path: utzoo!attcan!uunet!mcsun!hp4nl!ruuinf!praxis!edwin
From: edwin@praxis.cs.ruu.nl (Edwin Kremer)
Newsgroups: comp.mail.elm
Subject: Re: ** Serious Elm security hole + FIX **
Keywords: elm, $MAIL, read folder on startup
Message-ID: <1728@ruuinf.cs.ruu.nl>
Date: 23 Oct 89 08:15:33 GMT
References: <1726@ruuinf.cs.ruu.nl> <1989Oct22.222227.27140@DSI.COM>
Sender: news@ruuinf.cs.ruu.nl
Lines: 35

In article <1989Oct22.222227.27140@DSI.COM> syd@DSI.COM (Syd Weinstein) writes:

  > Before I even saw this news article, my mailbox had a message from one
  > of my local sites stating that the supplied patch will not work.
  > It actually works too well.  it causes you to get the message even in
  > send only mode. (ie elm user@host).
Oops, you're right. Syd means that if you fake another ones mailbox
by saying: setenv MAIL /usr/mail/root, then issue: elm user@site
you'll get a message like 'Can't open folder /usr/mail/root' and
Elm will exit immediately. Ok, this is maybe not what we want, but it
sure stops bad guys faking other ones mailboxes.

  > Please, for security problems, please let the vendor or author know
  > first so a work around or patch can be derived, before making it public.
Maybe you're right, but a found this one so urgent that I decided to post
it. Do you know how many mail boxes have already been read by some bad
guys who knew about this problem ??? More worse, if I mailed it to you
first, (and you're system was affexted) anyone with access to your
machine might have read it AND thrown it away !! (without you noticing
my urgent mail message ever) You know, this was a situation in which you
ask yourself "Can I trust mailing this or should I post it as soon as
possible ??"  Besides, I made sure to send out a patch as well. Ok, maybe
my patch wasn't the best one ever published but it surely solves the problem.

My apoligies to all of you who hate my posting and like to blow my
head of as soon as possible for posting this.


					--[ Edwin ]--

--
Edwin Kremer, Department of Computer Science, University of Utrecht
Padualaan 14,  P.O. Box 80.089,  3508 TB  Utrecht,  The Netherlands
Phone : +31 - 30 - 534104     |     Telefax: +31 - 30 - 513791
E-Mail: edwin@cs.ruu.nl       |     UUCP to: ...!hp4nl!ruuinf!edwin