Trojan horse possible with news readers
News administrator
news at rosevax.Rosemount.COM
Fri Dec 2 07:44:34 AEST 1988
I don't know if this has been discussed before, but here goes...
Many news reading programs (rn, vnews, others?) allow you include the
original text when following-up or replying-to articles. The
default editor is usually vi; some versions of vi will execute
commands if it sees a line (near the top or bottom of a file)
of the form <e><x><:><command><:>
To see if your setup is vunerable, start a (R)eply to
me, then abort it (I don't want your cards & letters). If
you have the bug, a file called 'NEWSBUG' will appear in /tmp
on your system, containing "any command". Caveat Editor.
I don't fix 'em, I just report 'em.
-----
Merlyn LeRoy
ex:!sh -c 'echo any command'>/tmp/NEWSBUG:
More information about the Comp.unix.wizards
mailing list