On Sat, Mar 17, 2007 at 12:11:29PM +0100, Bárður Árantsson wrote: > > If the attacker is merely able to upload an arbitrary file, this is by > > far the best route to go. He'll have to make guesses about the best > > place to put his trojans, but as I just pointed out, that isn't > > necessarily hard. By contrast, if he's only able to upload files, but > > not able to examine the existing contents of files, then replacing > > someone's muttrc will almost certainly be noticed, by virtue of Mutt's > > almost mandatory customization. It's nearly certain that something > > about the config will be changed, and very likely something the user > > will notice with very little effort. > > Uhm, am I missing something, or does "uploading", say, ~/.muttrc with > contents > > mailboxes `rm -rf /ha/ha/you/die` > > not game over? Yeah, you're missing something. Again, not necessarily. I offered a suggestion in this thread for how to have the running copy of mutt detect that its config file has changed, and alert the user. Will that guarantee the user will pay attention and take action? Obviously no... but at that point it's not Mutt's fault (well, except maybe for the bug that let it happen in the first place). -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail. Sorry for the inconvenience. Thank the spammers.
Description: PGP signature