This recently showed up on one of the system security mailing lists.
Since many on this list are using or planning to use C-News,
I thought it would be of interest.
The implication is that some newsgroup maintenance commands can affect
a lot more than just your news subsystem.
Obviously, the problem reported won't affect standalone systems,
but some postings have implied that some X*Press users are connected
to other Usenet news sites.
Selden
============
>From: IN%"an46153@anon.penet.fi" 23-FEB-1994 15:09:06.69
>To: IN%"bugtraq@crimelab.com"
>CC:
>Subj: Security problem in C news and INN
>
>Return-path: <bugtraq-owner@crimelab.crimelab.com>
>Received: from crimelab.crimelab.COM by LNS62.LNS.CORNELL.EDU (PMDF V4.2-13
> #3448) id <01H989JKDZO08WY2FW@LNS62.LNS.CORNELL.EDU>; Wed,
> 23 Feb 1994 15:08:12 EST
>Received: from localhost (root@localhost) by crimelab.crimelab.com
> (8.6.4/8.6.4) id NAA10618 for bugtraq-outgoing; Wed, 23 Feb 1994 13:35:38 -0600
>Received: from anon.penet.fi (anon.penet.fi [193.64.138.3]) by
> crimelab.crimelab.com (8.6.4/8.6.4) with SMTP id NAA10612 for
> <bugtraq@crimelab.com>; Wed, 23 Feb 1994 13:35:24 -0600
>Received: by anon.penet.fi (5.67/1.35) id AA12788; Wed, 23 Feb 94 16:40:20 +0200
>Date: Wed, 23 Feb 1994 14:40:19 UTC
>From: an46153@anon.penet.fi (Featherlace)
>Subject: Security problem in C news and INN
>Sender: bugtraq-owner@crimelab.crimelab.com
>To: bugtraq@crimelab.com
>Reply-to: an46153@anon.penet.fi
>Message-id: <9402231440.AA12788@anon.penet.fi>
>Organization: Anonymous contact service
>Content-transfer-encoding: 7BIT
>X-Anonymously-To: bugtraq@crimelab.com
>Precedence: bulk
>
>Maybe I'm the last person on the planet to realize this..... is it common
>knowledge that there's a *major* security hole in both C news performance
>release, and old versions of INN?
>
>If anyone doesn't know what I'm talking about, then you may want to disable
>newgroup and checkgroups processing from C news (performance release), and
>disable processing of ALL control messages except cancel from INN. Disable
>them <completely>, best with an "exit 0" at the first line of all
>appropriate scripts. Do not attempt to interpret or process these articles
>in any way. Don't do _anything_ with these articles except ignore them.
>This is overkill, but anything more specific would be too much of a
>giveaway.
>
>Someone, perhaps me, will post more details about this in a future message.
>
>-------------------------------------------------------------------------
>To find out more about the anon service, send mail to help@anon.penet.fi.
>Due to the double-blind, any mail replies to this message will be anonymized,
>and an anonymous id will be allocated automatically. You have been warned.
>Please report any problems, inappropriate use etc. to admin@anon.penet.fi.