RE: [exim] Re: sensitive data appearing in delay warning mes…

Top Page
Delete this message
Reply to this message
Author: Gray, Richard
Date:  
To: exim-users
Subject: RE: [exim] Re: sensitive data appearing in delay warning messages [was: Please help!]
> -----Original Message-----
> From: exim-users-bounces@???
> [mailto:exim-users-bounces@exim.org] On Behalf Of Philip Hazel
> Sent: 19 April 2005 09:26
> To: Alexander V Alekseev
> Cc: exim-users@???; Brian Candler
> Subject: Re: [exim] Re: sensitive data appearing in delay
> warning messages [was: Please help!]

<SNIP>
>
> Times have changed. Perhaps the best plan now would be
> *never* to give any details in bounce and delay warning
> messages. What do people think?
> Please post your opinion.
>


This seems like a perfect example of information leakage. While this is
the most extreme case, with passwords leaking out, it is easily argued
that any error output that is sent to an unknown user is an information
leak.

Perhaps an industrious hacker spams a particular server, and watches to
see how many messages it takes before an error gets leaked back, or
sends bad strings in various fields just to see the output.

Or worse yet, the information leak reveals that perhaps a username is
used unchecked in a DB query: Suddenly you have an attack vector for SQL
insertion attacks.

So, my opinion is that system messages (errors or otherwise) should not
be echoed back to people that can't be trusted.

R


---------------------------------------------------
This email from dns has been validated by dnsMSS Managed Email Security and is free from all known viruses.

For further information contact email-integrity@???