Hi, I spend alot o' time for security checks on hylafax-v4.0pl2 for SuSE Linux. I'll tell you, that there are some more scary holes in it. After our maintainer of hylafax makes my patch work with the _new_ version of hylafax and the author of hylafax gets my report + patch I'll make it public. BTW, it would be nice, if you'll behave the same way. 1.) notice the author/vendors and 2.) make it public. Brock, check out a CGI script called faxsurvey. More then a year ago I posted a remote cmd. exec. exploit to bugtraq. I think it isn't fixed till now. The script wouldn't be installed on SuSE Linux. last notice: faxalter isn't installed SUID on SuSE Linux, and doesn't have to, because the server has uid uucp and calls faxalter, AFAIR. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomasat_private Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:45 PDT