_BUT_ using the CGI_URL verification feature opens up a security hole/issue? After verifying a message you can simply change the first few digits of the querystring (apparently the UID) and discover other usernames on the machine tmda-cgi is running on, because of the verbose error messages returned, for ex: "Cryptography key file /usr/home/someOtherUser/.tmda/crypt_key, permissions ???"
I tried to duplicate this on my system, but didn't ever receive a username in any of the output yet:
1 - Attempt with nonexistent user:
Error: Unable to parse query string.
Cause: Program error / corrupted link.
Additional: Running in system-wide mode.
Attempted to locate pending e-mail with euid 0, egid 0.
Recommend: Please check the link you followed and make sure that it is typed in exactly as it was sent to you.
2 - Attempt with real user, but no home directory for that user:
Error: Confirm Failed
Cause: Old-style URL is not compatible with virtual users
Additional: Running in system-wide mode.
Attempted to use incompatible URL with euid 1002, egid 1001.
Recommend: Contact this message's sender by an alternate means and inform them of this error, or try confirming your message using an alternate method.
3 - Attempt with real user, good home directory, but no ~/.tmda:
Error: Confirm Failed
Cause: Old-style URL is not compatible with virtual users
Additional: Running in system-wide mode.
Attempted to use incompatible URL with euid 2001, egid 2001.
Recommend: Contact this message's sender by an alternate means and inform them of this error, or try confirming your message using an alternate method.
Attempt with real user, good home directory and ~/.tmda, but wrong user
Error: 1072116355.42213.420e7a is not a valid message ID. Cause: Program error / corrupted link. Additional: Running in system-wide mode. Attempted to retrieve pending e-mail with euid 2002, egid 2001. Recommend: Recheck link or contact TMDA programmers.
Can you please tell me how exactly you got this error?
Also, what kind of error message screen is it? Is it in a nicely formatted table with "Error", "Cause", "Additional" and "Recommend" sections, or was it an HTML formatted python traceback from an uncaught exception?
-- Jim Ramsay
_____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
