usefor-article-11 June 2003
[< Prev]
[TOC] [ Next >]
9.2.2. Compromise of System Integrity
The posting of unauthorized (as determined by the policies of the
relevant hierarchy) control messages can cause unwanted newsgroups to
be created, or wanted ones removed, from serving agents.
Administrators of such agents SHOULD therefore take steps to verify
the authenticity of such control messages, either by manual
inspection (particularly of the Approved-header) or by checking any
digital signatures that may be provided (see 7.1). In addition, they
SHOULD periodically compare the newsgroups carried against any
regularly issued checkgroups messages, or against lists maintained by
trusted servers and accessed by out-of-band protocols such as FTP or
HTTP.
Malicious cancel messages (7.3) can cause valid articles to be
removed from serving agents. Administrators of such agents SHOULD
therefore take steps to verify that they originated from the
(apparent) poster, the injector or the moderator of the article, or
that in other cases they came from a place that is trusted to work
within established policies and customs. Such steps SHOULD include
the checking of any digital signatures, or other security devices,
that may be provided (see 7.1). Articles containing Supersedes-
headers (6.15) are effectively cancel messages, and SHOULD be subject
to the same checks. Currently, many sites choose to ignore all
cancel messages on account of the difficulty of conducting such
checks.
Improperly configured serving agents can allow articles posted to
moderated groups onto the net without first being approved by the
moderator. Injecting agents SHOULD verify that moderated articles
were received from one of the entities given in their Approved-
headers and/or check any digital signatures that may be provided (see
7.1).
The filename parameter of the Archive-header (6.12) can be used to
attempt to store archived articles in inappropriate locations.
Archiving sites should be suspicious of absolute filename parameters,
as opposed to those relative to some location of the archiver's
choosing.
There may be weaknesses in particular implementations that are
subject to malicious exploitation. In particular, it has not been
unknown for complete shell scripts to be included within Control-
headers. Implementors need to be aware of this.
Reading agents should be chary of acting automatically upon MIME
objects with an "application" Content-Type that could change the
state of that agent, except in contexts where such applications are
specifically expected (see 6.21). Even the Content-Type "text/html"
could have unexpected side effects on account of embedded objects,
especially embedded executable code or URLs that invoke non-news
protocols such as HTTP [RFC 2616]. It is therefore generally
recommended that reading agents do not enable the execution of such
code (since it is extremely unlikely to have a valid application
within Netnews) and that they only honour URLs referring to other
parts of the same article.
Non-printable characters embedded in article bodies may have
surprising effects on printers or terminals, notably by reconfiguring
them in undesirable ways which may become apparent only after the
reading agent has terminated.
[< Prev]
[TOC] [ Next >]
#Diff to first older
--- ../usefor-article-10/Compromise_of_System_Integrity.out April 2003
+++ ../usefor-article-11/Compromise_of_System_Integrity.out June 2003