Date: Mon, 17 Apr 2000 20:09:32 -0700 From: "Michael S. Fischer" <michael@dynamine.net> To: "Kris Kennaway" <kris@FreeBSD.org> Cc: <security@FreeBSD.org> Subject: Re: Fw: Re: imapd4r1 v12.264 Message-ID: <013301bfa8e3$8521f160$7f00800a@corp.auctionwatch.com> References: <Pine.BSF.4.21.0004172002040.96730-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote: > On Mon, 17 Apr 2000, Michael S. Fischer wrote: > > > Are you saying that remotely giving access to the user's account isn't bad > > enough? In my environment, certain users have sudo access... > > No, I'm saying that in some (perhaps most) environments the user already > has shell access to the machine, so it's not a risk (if my interpretation > of the vulnerability is correct). If you have a machine which doesn't > allow shell access, but serves users with imap, then they can exploit the > vulnerability to gain shell access to the machine. Note that you need to > successfully log into an account on the imap server to exploit the > problem, which means knowing the password. Understood. Thanks for clearing that up, --Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?013301bfa8e3$8521f160$7f00800a>