Check it Out!    
RideCamp@endurance.net
[Date Prev] [Date Next] [Thread Prev] [Thread Next]
[Date Index] [Thread Index] [Author Index] [Subject Index]

Security Hole?



I said:

>To: guest@endurance.net 
>Subject: Donna's Column 
>From: "Linda B. Merims" <lbm@ici.net> 
>Date: Fri, 24 Nov 2000 11:28:16 -0800 
>Reply-To: lbm@ici.net 
>
>
>...
>Actually, I didn't know you could send posts directly
>to guest@endurance.net.  I thought you had to type in replies
>through the web page. If this reply (sent by email) works, then sending
>to guest@endurance.net works. If it doesn't work, then it means it only
>works if you are already a subscriber to Ridecamp...

Yup, it worked.  Anyone can get their post on Ridecamp
merely by sending email to guest@endurance.net.  It shows up as sent
from lbm@ici.net, even though I am *not* currently a Ridecamp
subscriber.

I think this is a security hole.  I am pretty sure that I had
tried this before and it didn't work.  Now it does.  People will
remember that one of the major reasons the whole web subscriber/guest
mechanism was set up in the first place several years ago was
that nasty business with an anonymous sender slandering a
Ridecamp contributor and hiding behind the system's then-lack of
mechanisms to identify and screen submissions. 

Steph?  Michael Maul?  Whose problem is this?

Linda B. Merims
lbm@ici.net
Masschusetts, USA



    Check it Out!    

Home    Events    Groups    Rider Directory    Market    RideCamp    Stuff

Back to TOC