-----Original Message----- From: Ben Camp <benc@gallerywatch.com> To: frankie@CNNS.NET <frankie@CNNS.NET> CC: pp@cnns.net Date: 2000年3月28日 23:56 Subject: windmail bugtraq
This is in your numbering system.
1. Thanks for letting me know this got all the way to bugtraq. pp@CNNS.NET decided to ignore any responses to his earlier message.
2. I certainly do not have a problem with correcting any problems, but I'm not seeing the 'security problem' here with WindMail. It seems to me that if you make all your files world-readable or run an environment in an administrative user contect (NT Administrator/root) then you cannot blame individual utilities that function according to the security constraints you put them in.
"Workaround: Set up the webserver to run under an account that only has read access to files that are meant to be publicly accessed".. Is this a workaround, or what one should do before they start blaming tools that have no control over the matter? He also has this in his cgi-bin directory which would let the webserver execute it directly instead of in the default installation directory outside of the web root.
So here are my questions so we are clear:
1. If you have (mis)configured your machine to allow read access to all files, then how is this a problem with WindMail?
2. What is WindMail doing that it should not given the security constraints it is under?
3. What are your recommendations for how WindMail should act differently and under which circumstances?
Thanks, Ben Camp benc@geocel.com Geocel International
