awnpipe : Message: Re: [amiga_sa] Re: security risk

----- Original Message -----
From: "Neil Bothwick" <neil@...>
To: "Bruce Steers" <awnpipe@yahoogroups.com>
Cc: <The-Crypt@yahoogroups.com>; <amiga_sa@yahoogroups.com>;
<awnpipe@yahoogroups.com>; <The-Crypt@yahoogroups.com>
Sent: 11 November 2001 11:31
Subject: Re: [amiga_sa] Re: security risk

> > a better fix would be to make YAM (or whatever) check to see if AWNPipe: is
> > mounted and if it is un-mount it before using yam.
>
> All YAM needs to do is strip escape codes from data before passing ti
> elsewhere. Or it could check that any file it tries to load is really a
> file.
>
> > this could be done by using an ARexx command set as YAM's startup-script (or
> > before getting mail) the following script should be either saved as a script
> > file in REXX and called from your prog or cut-n-pasted into an existing
> > startup-script
>
> That would mean you couldn't use, for example, AWebModes while YAM was
> running. If you have a permanent connection and YAM is always running,
> this is a major inconvenience.

not really (if AWebModes is well coded)
AWeb modes should mount the pipe as it loads (all my awnpipe tools do)

But you would have to close awebmodes before you next check mail

> > the report mentioned ANY MUI internet prog so i guess it includes V and IB
as
> > well ? also the report mainly spoke of APIPE: the above script can be
> > modified by changing the references to AWNPipe: to whatever pipe you want
> > checked.
>
> V is secure, because Vapor have been aware of this problem for some time
> and have made sure it doesn't pass unchecked data to the system. AWeb is
> also secure from similar exploits. I don't know about IBrowse.

Aweb will be ok as it is not mui :^)

> The safest approach is to remove AWNPIPE if nothing you have uses it.
> Otherwise, rename it and change the scripts that call it. If the pipe
> has an arbitrary name, no external source will know the name to use.

but that sounds like more of a pita than my idea :(
the safest way is to stop using MUI internet apps untill they are fixed.

but the question remains ,,, IS awnpipe vulnerable or not ?

Expand Messages

Author

Sort by Date

... Mike I don't know if Neil is on this list (his msg was posted to the AWNPipe list:) but to answer. if you do not have the AWNPIPE descriptor file in...

Bruce Steers
brucesteers

Nov 11, 2001
11:00 am

... In case you didn't notice i forgot the trailing colon : in the 'assign remove' command oops. it should be... 'assign AWNPIPE: remove'...

Bruce Steers
brucesteers

Nov 11, 2001
11:11 am

I'm not 100% convinced that AWNPipe is a security risk. the Report spoke of APIPE: , i do not know how APIPE got it's name but i bet the 'A' does not mean Aweb...

Bruce Steers
brucesteers

Nov 11, 2001
11:21 am

Bruce Steers said, ... It's not the same thing. The affected pipes (AFAIK) are APIPE and AWNPIPE. If you have awnpipe-handler i L: and AWNPIPE in...

Neil Bothwick
wirenetuk

Nov 11, 2001
11:31 am

... From: "Neil Bothwick" <neil@...> To: "Bruce Steers" <awnpipe@yahoogroups.com> Cc: <The-Crypt@yahoogroups.com>; <amiga_sa@yahoogroups.com>;...

Bruce Steers
brucesteers

Nov 11, 2001
1:03 pm

Bruce Steers said, ... AWebModes checks that the pipe is mounted, and mounts it if not. But it doesn't dismount it on exit. ... That's why I said similar...

Neil Bothwick
wirenetuk

Nov 11, 2001
3:41 pm

... It's a good idea to check whether it's mounted before trying to use it. ... I think putting the name of the pipe in a variable at the top of the script is...

Neil Bothwick
wirenetuk

Nov 14, 2001
8:50 am

Yahoo! Groups Tips

Did you know...

Messages

Yahoo! My Yahoo! Mail
	Sign In New User? Sign Up
		Tech - Groups - Help

Yahoo! Groups Tips

Did you know...

Best of Y! Groups

Messages