usefor-usepro-03 February 2005
[< Prev]
[TOC] [ Next >]
8.2.2. Compromise of System Integrity
The posting of unauthorized (as determined by the policies of the
relevant hierarchy) control messages can cause unwanted newsgroups to
be created, or wanted ones removed, from serving agents.
Administrators of such agents SHOULD therefore take steps to verify
the authenticity of such control messages, either by manual
inspection (particularly of the Approved header) or by checking any
digital signatures that may be provided (see 6.1). In addition, they
SHOULD periodically compare the newsgroups carried against any
regularly issued checkgroups messages, or against lists maintained by
trusted servers and accessed by out-of-band protocols such as FTP or
HTTP.
Malicious cancel messages (6.3) can cause valid articles to be
removed from serving agents. Administrators of such agents SHOULD
therefore take steps to verify that they originated from the
(apparent) poster, the injector or the moderator of the article, or
that in other cases they came from a place that is trusted to work
within established policies and customs. Such steps SHOULD include
the checking of any digital signatures, or other security devices,
that may be provided (see 6.1). Articles containing Supersedes
headers (F-3.2.5) are effectively cancel messages, and SHOULD be
subject to the same checks. Currently, many sites choose to ignore
all cancel messages on account of the difficulty of conducting such
checks.
Improperly configured serving agents can allow articles posted to
moderated groups onto the net without first being approved by the
moderator. Injecting agents SHOULD verify that moderated articles
were received from one of the entities given in their Approved
headers and/or check any digital signatures that may be provided (see
6.1).
The filename parameter of the Archive header (F-3.2.11) can be used
to attempt to store archived articles in inappropriate locations.
Archiving sites should be suspicious of absolute filename parameters,
as opposed to those relative to some location of the archiver's
choosing.
[This parameter may yet be removed from USEFOR.]
There may be weaknesses in particular implementations that are
subject to malicious exploitation. In particular, it has not been
unknown for complete shell scripts to be included within Control
headers. Implementors need to be aware of this.
Reading agents should be chary of acting automatically upon MIME
objects with an "application" Content-Type that could change the
state of that agent, except in contexts where such applications are
specifically expected (as in 5). Even the Content-Type "text/html"
could have unexpected side effects on account of embedded objects,
especially embedded executable code or URIs that invoke non-news
protocols such as HTTP [RFC 2616]. It is therefore generally
recommended that reading agents do not enable the execution of such
code (since it is extremely unlikely to have a valid application
within Netnews) and that they only honour URIs referring to other
parts of the same article.
Non-printable characters embedded in article bodies may have
surprising effects on printers or terminals, notably by reconfiguring
them in undesirable ways which may become apparent only after the
reading agent has terminated.
[< Prev]
[TOC] [ Next >]
#Diff to first older
--- ../usefor-usepro-02/Compromise_of_System_Integrity.out December 2004
+++ ../usefor-usepro-03/Compromise_of_System_Integrity.out February 2005
@@ -5,14 +5,13 @@
be created, or wanted ones removed, from serving agents.
Administrators of such agents SHOULD therefore take steps to verify
the authenticity of such control messages, either by manual
- inspection (particularly of the Approved-header) or by checking any
- digital signatures that may be provided (see a-7.1). In addition,
- they SHOULD periodically compare the newsgroups carried against any
+ inspection (particularly of the Approved header) or by checking any
+ digital signatures that may be provided (see 6.1). In addition, they
+ SHOULD periodically compare the newsgroups carried against any
regularly issued checkgroups messages, or against lists maintained by
trusted servers and accessed by out-of-band protocols such as FTP or
HTTP.
-
Malicious cancel messages (6.3) can cause valid articles to be
removed from serving agents. Administrators of such agents SHOULD
therefore take steps to verify that they originated from the
@@ -20,8 +19,8 @@
that in other cases they came from a place that is trusted to work
within established policies and customs. Such steps SHOULD include
the checking of any digital signatures, or other security devices,
- that may be provided (see a-7.1). Articles containing Supersedes-
- headers (a-6.15) are effectively cancel messages, and SHOULD be
+ that may be provided (see 6.1). Articles containing Supersedes
+ headers (F-3.2.5) are effectively cancel messages, and SHOULD be
subject to the same checks. Currently, many sites choose to ignore
all cancel messages on account of the difficulty of conducting such
checks.
@@ -29,32 +28,33 @@
Improperly configured serving agents can allow articles posted to
moderated groups onto the net without first being approved by the
moderator. Injecting agents SHOULD verify that moderated articles
- were received from one of the entities given in their Approved-
+ were received from one of the entities given in their Approved
headers and/or check any digital signatures that may be provided (see
- a-7.1).
+ 6.1).
- The filename parameter of the Archive-header (a-6.12) can be used to
- attempt to store archived articles in inappropriate locations.
+ The filename parameter of the Archive header (F-3.2.11) can be used
+ to attempt to store archived articles in inappropriate locations.
Archiving sites should be suspicious of absolute filename parameters,
as opposed to those relative to some location of the archiver's
choosing.
+[This parameter may yet be removed from USEFOR.]
There may be weaknesses in particular implementations that are
subject to malicious exploitation. In particular, it has not been
- unknown for complete shell scripts to be included within Control-
+ unknown for complete shell scripts to be included within Control
headers. Implementors need to be aware of this.
Reading agents should be chary of acting automatically upon MIME
objects with an "application" Content-Type that could change the
state of that agent, except in contexts where such applications are
- specifically expected (see a-6.21). Even the Content-Type
- "text/html" could have unexpected side effects on account of embedded
- objects, especially embedded executable code or URLs that invoke
- non-news protocols such as HTTP [RFC 2616]. It is therefore
- generally recommended that reading agents do not enable the execution
- of such code (since it is extremely unlikely to have a valid
- application within Netnews) and that they only honour URLs referring
- to other parts of the same article.
+ specifically expected (as in 5). Even the Content-Type "text/html"
+ could have unexpected side effects on account of embedded objects,
+ especially embedded executable code or URIs that invoke non-news
+ protocols such as HTTP [RFC 2616]. It is therefore generally
+ recommended that reading agents do not enable the execution of such
+ code (since it is extremely unlikely to have a valid application
+ within Netnews) and that they only honour URIs referring to other
+ parts of the same article.
Non-printable characters embedded in article bodies may have
surprising effects on printers or terminals, notably by reconfiguring