<<< Date Index >>>     <<< Thread Index >>>

Re: [PATCH] Remove absolute paths from gpg.rc



On Sat, Mar 17, 2007 at 12:11:29PM +0100, Bárður Árantsson wrote:
> > If the attacker is merely able to upload an arbitrary file, this is by
> > far the best route to go.  He'll have to make guesses about the best
> > place to put his trojans, but as I just pointed out, that isn't
> > necessarily hard.  By contrast, if he's only able to upload files, but
> > not able to examine the existing contents of files, then replacing
> > someone's muttrc will almost certainly be noticed, by virtue of Mutt's
> > almost mandatory customization.  It's nearly certain that something
> > about the config will be changed, and very likely something the user
> > will notice with very little effort.
> 
> Uhm, am I missing something, or does "uploading", say, ~/.muttrc with
> contents
> 
>     mailboxes `rm -rf /ha/ha/you/die`
> 
> not game over?

Yeah, you're missing something.  Again, not necessarily.  I offered a
suggestion in this thread for how to have the running copy of mutt
detect that its config file has changed, and alert the user.  Will
that guarantee the user will pay attention and take action?  Obviously
no... but at that point it's not Mutt's fault (well, except maybe for
the bug that let it happen in the first place).

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail.  Sorry for the inconvenience.  Thank the spammers.

Attachment: pgpdaYAO7fhLW.pgp
Description: PGP signature