Re: {bb} roracle bb display issue

[Philip Clark <bblist@cannae.uklinux.net>]

On Thu, 2006-03-23 at 01:12, Aaron Stranberg wrote:
>   Phil
>      Thanks that totally resolved my html issue!  On the security comment are
> you referring to roracle and allowing it to log in to oracle in general, or is
> that in reference to the EMBEDHTML change?  Security is definitely a concearn.

Sorry for the delay in responding. My ISP's inbound mailserver
appears to be having a few problems :(

It was the allowing of embedded HTML in BB status messages that I
was referring to. I'm not exactly sure of all the ramifications, but I
would imagine that, if a web server is prudently configured, a malicious
Cracker would only be able to make a real mess of the web pages (or
maybe cover their tracks).

I do, however, feel that there is a theoretical risk that someone
might be able to use a BB client to exploit a weak web server. I
could be wrong, though. It's just my ignorance that makes me
paranoid but, that's not a bad thing to be (in cases like this).

Personally, I would only consider allowing embedded HTML on an
internal BB server (not accessible from the internet) which did
not have external clients (which are accessible from the internet)
reporting to it. I'd also use the BB "security" file to restrict
connections and pay particular attention to the BB user on each
client. I try to use a special BB user on each client (which does
not have a valid login) and make sure that only this user has access
to the BB client directories.

Cheers, Phil.



-- 
Blore's Razor: Given a choice between two theories, take the one
which is funnier.

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=
To unsubscribe from this list, or to subscribe to the bb-digest list
send e-mail to mailto:majordomo@bb4.com with unsubscribe bb -and/or-
subscribe bb-digest in the BODY of the message.