From owner-freebsd-security  Fri Feb  9 11:36:46 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cithaeron.argolis.org (bgm-24-94-35-22.stny.rr.com [24.94.35.22])
	by hub.freebsd.org (Postfix) with ESMTP id 9333337B69D
	for <security@FreeBSD.ORG>; Fri,  9 Feb 2001 11:36:14 -0800 (PST)
Received: from localhost (piechota@localhost)
	by cithaeron.argolis.org (8.11.1/8.11.1) with ESMTP id f19JZxF58531;
	Fri, 9 Feb 2001 14:36:04 -0500 (EST)
	(envelope-from piechota@argolis.org)
X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs
Date: Fri, 9 Feb 2001 14:35:59 -0500 (EST)
From: Matt Piechota <piechota@argolis.org>
To: Szilveszter Adam <sziszi@petra.hos.u-szeged.hu>
Cc: <security@FreeBSD.ORG>
Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE
In-Reply-To: <20010209195847.F27987@petra.hos.u-szeged.hu>
Message-ID: <Pine.BSF.4.31.0102091430170.56649-100000@cithaeron.argolis.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 9 Feb 2001, Szilveszter Adam wrote:

> AFAIK it was not at all signed... unlike previous attempts by the same
> "funny" person. But what got me worried (and what nobody apparently
> understood from my post from yesterday) that this time the prankster
> managed to post on both freebsd-announce and
> freebsd-security-announce, which are supposed to be closed and
> moderated lists.
>
> So does this effectively mean, that just by forging a From: header, I can
> already post whatever I want on -announce? (An allegedly trusted resource)
> If so, we (freebsd.org) have a security problem. (Hence the post on
> -security, since we do not have any *public* mailing list for discussing
> security matters wrt freebsd.org itself, before anyone asks again.)
>
> If my allegation is not true, then what happened?

I believe you just have to forge the "Moderated By:" header or something
similar.  I know some news groups (alt.2600.moderated, I believe) are
moderated, but have no person with moderator power.  You have to be l33t
enough to forge the news item to post.  I would assume mailing lists have
a similar hole.

You can't just forge the From: header, since I would assume the mail
server won't accept mail From: someone@freebsd.org from a non freebsd.org
machine, but I could be wrong.

-- 
Matt Piechota
Finger piechota@emailempire.com for PGP key
AOL IM: cithaeron





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message