|
    Check it Out!    
|
|
RideCamp@endurance.net
Security Hole?
I said:
>To: guest@endurance.net
>Subject: Donna's Column
>From: "Linda B. Merims" <lbm@ici.net>
>Date: Fri, 24 Nov 2000 11:28:16 -0800
>Reply-To: lbm@ici.net
>
>
>...
>Actually, I didn't know you could send posts directly
>to guest@endurance.net. I thought you had to type in replies
>through the web page. If this reply (sent by email) works, then sending
>to guest@endurance.net works. If it doesn't work, then it means it only
>works if you are already a subscriber to Ridecamp...
Yup, it worked. Anyone can get their post on Ridecamp
merely by sending email to guest@endurance.net. It shows up as sent
from lbm@ici.net, even though I am *not* currently a Ridecamp
subscriber.
I think this is a security hole. I am pretty sure that I had
tried this before and it didn't work. Now it does. People will
remember that one of the major reasons the whole web subscriber/guest
mechanism was set up in the first place several years ago was
that nasty business with an anonymous sender slandering a
Ridecamp contributor and hiding behind the system's then-lack of
mechanisms to identify and screen submissions.
Steph? Michael Maul? Whose problem is this?
Linda B. Merims
lbm@ici.net
Masschusetts, USA
|
    Check it Out!    
|
|
Home
Events
Groups
Rider Directory
Market
RideCamp
Stuff
Back to TOC