usefor-article-05 July 2001
[< Prev]
[TOC] [ Next >]
9.2.2. Compromise of System Integrity
The posting of unauthorized (as determined by the policies of the
relevant hierarchy) control messages can cause unwanted newsgroups to
be created, or wanted ones removed, from serving agents.
Administrators of such agents SHOULD therefore take steps to verify
the genuiness of such control messages, either by manual inspection
(particularly of the Approved header) or by checking any digital
signatures that may be provided. In addition, they SHOULD
periodically compare the newsgroups carried against any regularly
issued checkgroups messages, or against lists maintained by trusted
servers and accessed by out-of-band protocols such as FTP or HTTP.
Malicious cancel messages (7.5) can cause valid articles to be
removed from serving agents. Administrators of such agents SHOULD
therefore take steps to verify that they originated from the poster,
the injector or the moderator of the article, or that in other cases
they came from a place that is trusted to work within established
policies and customs. Articles containing Replaces and/or Supersedes
headers (6.15) are effectively cancel messages, and SHOULD be subject
to the same checks. Currently, many sites choose to ignore all
cancel messages on account of the difficulty of conducting such
checks.
[But we cannot really say much more until we have Cancel Locks and
digital signatures in place.]
Improperly configured serving agents can allow articles posted to
moderated groups onto the net without first being approved by the
moderator. Injecting agents SHOULD verify that moderated articles
were received from one of the entities given in their Approved
headers and/or check any digital signatures that may be provided.
The filename parameter of the Archive header (6.12) can be used to
attempt to store archived articles in inappropriate locations.
Archiving sites should be suspicious of absolute filename parameters,
as opposed to those relative to some location of the archiver's
choosing.
There may be weaknesses in particular implementations that are
subject to malicious exploitation. In particular, it has not been
unknown for complete shell scripts to be included within Control
headers. Implementors need to be aware of this.
Reading agents should be chary of acting automatically upon Mime
objects with an "application" Content-Type that could change the
state of that agent, except in contexts where such applications are
specifically expected (see 6.21). Even the Content-Type "text/html"
could have unexpected side effects on account of embedded objects,
especially embedded executable code or URLs that invoke non-news
protocols such as HTTP [RFC 2616]. It is therefore generally
recommended that reading agents do not enable the execution of such
code (since it is extremely unlikely to have a valid application
within Netnews) and that they only honour URLs referring to other
parts of the same article.
Non-printable characters embedded in article bodies may have
surprising effects on printers or terminals, notably by reconfiguring
them in undesirable ways which may become apparent only after the
reading agent has terminated.
[< Prev]
[TOC] [ Next >]
#Diff to first older
--- ../usefor-article-04/Compromise_of_System_Integrity.out April 2001
+++ ../usefor-article-05/Compromise_of_System_Integrity.out July 2001
@@ -27,8 +27,14 @@
Improperly configured serving agents can allow articles posted to
moderated groups onto the net without first being approved by the
moderator. Injecting agents SHOULD verify that moderated articles
- were was received from one of the entities given in its Approved
- header and/or check any digital signatures that may be provided.
+ were received from one of the entities given in their Approved
+ headers and/or check any digital signatures that may be provided.
+
+ The filename parameter of the Archive header (6.12) can be used to
+ attempt to store archived articles in inappropriate locations.
+ Archiving sites should be suspicious of absolute filename parameters,
+ as opposed to those relative to some location of the archiver's
+ choosing.
There may be weaknesses in particular implementations that are
subject to malicious exploitation. In particular, it has not been