Charles Marcus wrote: > *IF* there was some kind of vulnerability in ASSP - either directly in > the assp.pl script, or in one of the CPAN modules that ASSP depends on - > what is the *worst* that could happen? Could ASSP ever be compromised to > the point that it itself becomes a source of spam (this is one of the > 'possible' results that was mentioned)? Could a security hole > realistically somehow be leveraged to root someone's server (assuming > ASSP is being run as a non-root user)? > >
Its the same as any other process you are running (like your webserver or Mail MTA). *IF* there was a hole and you are running in chroot mode as a non-root user, they "might" be able to install a shell running as that user. Note, as mentioned, as an SMTP proxy thats probably non-trivial, even with a hole. The web interface would be a better place to attack from an attackers perspective. From there, if you are not up to date on your system upgrades and/or there is a zero day exploit, they "might" be able to get root using a local exploit. The fact that you have chrooted your ASSP process makes that much more difficult (not impossible, but the skill level required goes up dramatically). Its more likely that they would simply use their 'assp' shell to attack other servers and or send out spam from your server. -bill ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
