How-do-you-do,

noniq @ [EMAIL PROTECTED] wrote:

n> does anyone know when ritlabs will offer a patch for the
n> X-BAT-FILES-problem recently discussed on bugtraq?

First:

I tested the spoofing vulnerability ages ago so it was not a surprise when I
saw Steve's posting. However, contrary to the posting by Steve, I have NOT
found a single instance where TB! deletes file attachments outside of the
mailbox's attachment folder simply by deleting the message from a folder
within TB!. If a message is deleted from within any folder in TB! it will
not delete the mail from the attachment folder, even if 'Delete attached
files when message is deleted from the Trash' is selected under Account
Properties/Files & Directories. In other words, even emptying trash still
leaves the attachment in place. :-)

Second:

If you delete an attachment from the message body you will still be prompted
by TB! asking you to confirm whether you want to delete the attachment or
not. The Dialog box displays the full path to the attachment & the
attachment file name allowing you to immediately determine whether such an
action should be performed - if you see: 'c:\windows\user.dat' then you
would obviously be an idiot if you deleted it.

Yes, the attachment does also get deleted from the spoofed path if you
delete it from the message body. This does occur. However, as I have said:

1: you get a dialog box warning you before hand. - YOU CAN READ?
2: The FULL path to the attachment in question is shown - YOU CAN READ?
3. The filename in question is shown - YOU CAN READ?
4. You get a choice of 'Yes' or 'No' to delete. - Doh!

Well you can guess who this is going to affect!

Third

Although concerned enough to send email to Stefan about the security
implications of this 'bit of a security issue', I did not think it
significant enough to get everyone panicked by posting a paranoid warning to
TBUDL providing ALL details, and thereby identifying this minuscule problem
to all and sundry! - now it is general knowledge it hardly matters.

In Stefan's reply to my email he said that, "We will change it to something
more convenient in the next version". Good enough for me.

Granted, a 'pin hole' is still a 'pin hole', but quite frankly, the danger
is so minuscule it hardly warrants all the hoo haa. It has simply escalated
way out of proportion to the actual problem.

Looking forward to version 2!
  

Slan, 

 Simon mailto:[EMAIL PROTECTED]                         


Usin' TB! v1.41 B5

 <!-- 

  L’homme est bien insensé. Il ne saurait forger un ciron, et forge des Dieux à 
douzaines!

  (Man is quite insane. He cannot create a maggot, and he creates Gods by the dozen)

  MONTAIGNE 1533-1592

 //-->

-- 
--------------------------------------------------------------
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   <mailto:[EMAIL PROTECTED]>
To Unsubscribe from TBUDL, double click here and send the message:
   <mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------

You are subscribed as : archive@jab.org

Reply via email to