9.2.2. Compromise of System Integrity

INTERNET-DRAFT                               Charles H. Lindsey
Usenet Format Working Group                  University of Manchester
                                             July 2001

9.2.2. Compromise of System Integrity

Previous Up Next

9.2.2.  Compromise of System Integrity
   The posting of unauthorized (as determined by the policies of the
   relevant hierarchy) control messages can cause unwanted newsgroups to
   be created, or wanted ones removed, from serving agents.
   Administrators of such agents SHOULD therefore take steps to verify
   the genuiness of such control messages, either by manual inspection
   (particularly of the Approved header) or by checking any digital
   signatures that may be provided. In addition, they SHOULD
   periodically compare the newsgroups carried against any regularly
   issued checkgroups messages, or against lists maintained by trusted
   servers and accessed by out-of-band protocols such as FTP or HTTP.

   Malicious cancel messages (7.5) can cause valid articles to be
   removed from serving agents. Administrators of such agents SHOULD
   therefore take steps to verify that they originated from the poster,
   the injector or the moderator of the article, or that in other cases
   they came from a place that is trusted to work within established
   policies and customs. Articles containing Replaces and/or Supersedes
   headers (6.15) are effectively cancel messages, and SHOULD be subject
   to the same checks.  Currently, many sites choose to ignore all
   cancel messages on account of the difficulty of conducting such
   checks.
[But we cannot really say much more until we have Cancel Locks and
digital signatures in place.]

   Improperly configured serving agents can allow articles posted to
   moderated groups onto the net without first being approved by the
   moderator. Injecting agents SHOULD verify that moderated articles
   were received from one of the entities given in their Approved
   headers and/or check any digital signatures that may be provided.

   The filename parameter of the Archive header (6.12) can be used to
   attempt to store archived articles in inappropriate locations.
   Archiving sites should be suspicious of absolute filename parameters,
   as opposed to those relative to some location of the archiver's
   choosing.

   There may be weaknesses in particular implementations that are
   subject to malicious exploitation. In particular, it has not been
   unknown for complete shell scripts to be included within Control
   headers. Implementors need to be aware of this.

   Reading agents should be chary of acting automatically upon Mime
   objects with an "application" Content-Type that could change the
   state of that agent, except in contexts where such applications are
   specifically expected (see 6.21).  Even the Content-Type "text/html"
   could have unexpected side effects on account of embedded objects,
   especially embedded executable code or URLs that invoke non-news
   protocols such as HTTP [RFC 2616].  It is therefore generally
   recommended that reading agents do not enable the execution of such
   code (since it is extremely unlikely to have a valid application
   within Netnews) and that they only honour URLs referring to other
   parts of the same article.

   Non-printable characters embedded in article bodies may have
   surprising effects on printers or terminals, notably by reconfiguring
   them in undesirable ways which may become apparent only after the
   reading agent has terminated.

Previous Up Next

Previous draft (04): 9.2.2. Compromise of System Integrity

Diffs to previous draft

--- {draft-04}	Wed Jul 11 21:56:23 2001
+++ {draft-05}	Wed Jul 11 21:56:23 2001
@@ -26,10 +26,14 @@
    Improperly configured serving agents can allow articles posted to
    moderated groups onto the net without first being approved by the
    moderator. Injecting agents SHOULD verify that moderated articles
-   were was received from one of the entities given in its Approved
-   header and/or check any digital signatures that may be provided.
-
+   were received from one of the entities given in their Approved
+   headers and/or check any digital signatures that may be provided.
 
+   The filename parameter of the Archive header (6.12) can be used to
+   attempt to store archived articles in inappropriate locations.
+   Archiving sites should be suspicious of absolute filename parameters,
+   as opposed to those relative to some location of the archiver's
+   choosing.
 
    There may be weaknesses in particular implementations that are
    subject to malicious exploitation. In particular, it has not been