Path: utzoo!attcan!uunet!husc6!mailrus!ames!killer!pollux!jgd
From: jgd@pollux.UUCP (Dr. James George Dunham)
Newsgroups: news.admin
Subject: Potential News B.2.11.14 Problem
Message-ID: <11319@pollux.UUCP>
Date: 26 Jul 88 21:54:05 GMT
Reply-To: jgd@pollux.UUCP (James George Dunham)
Organization: Department of Electrical Engineering; S.M.U.; Dallas, TX, 75275
Lines: 19


    Recently an event happened with one of our local news sites that
exposes a potential security problem with the current version of news
B.2.11.14. This site received some news and spooled it. The machine
went down and the name was accidently changed. After coming up, the
spooled news was received and then batched for the local feed sites
with the changed name. An alert system operator noticed the name
change since no one could communicate with it via UUCP and restored
the proper name to the machne. The batched news was received by us and
we accepted it with the changed name even though we do not have UUCP
connections to that site nor is that site listed in our sys file.
Thus news was proprogated on the network with a bogus site in the
path. Even though this is an unlikely set of events, a site wishing to
inject bogus news on the network that would be difficult to track down
could use this technique. I would suggest the the next version of news
eliminate this potential problem by including a check to sys to see if
the site is valid before accepting it.
				-Jim Dunham
				 pollux!jgd