Hello, On Sat, Jan 15, 2000 at 09:14:50PM +0100, Raphael Hertzog wrote: [..] > Did you find security holes ? If not how can you be sure that there are > some ? If I remember well, some have already been discovered and most > of the shell escape problems have been fixed. I think this bug shouldn't > be marked as grave until a real problem is given.
Just give a look to the Bourne Shell script called finger. The only test that is done, is that it isn't called without any argument. Just call it with '-l' as an argument and *anybody* can see the very verbose explanation of who is actually logged. http://[host]/cgi-bin/finger?-l The first step for the "bad guys" is to find a name. So, I do think it's a security hole. > Anyway I wouldn't mind if we remove this package from Debian. What do > people think ? We have discussed about this and it seems that people agree that the package can be withdrawned ( I have proposed to work on a new one with the same name). Best regs, -- Thierry LARONDE [EMAIL PROTECTED] website : http://www.polynum.com
