On Jan 9, 2008 1:45 PM, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:
> Daniel Brown schreef:
> > No, go back over the archives or digests and you'll see that it
> > was supposed to be a once-per-week email for post tracking on the list
> > that went haywire. It wound up sending over a hundred messages to the
> > list, which - in my opinion - also indicates a flaw in the mailing
> > list software.
>
> so do we call you 'PostTrack' or "PassTheBuck" from now on? ;-)
No, you call me The Moron Who Commented-Out The Wrong Line And
Flooded The List With Test Data.
It's a long name, but it's accurate. When I was running the cron
to see why the piped response wasn't working (as it turned out, I had
simply mistyped the address in valiases), it was supposed to send the
data directly to my email address only. However, I commented out the
wrong line, and uncommented the line containing the
php-general@xxxxxxxxxxxxx address.
Then, because I didn't know that it was working the whole time,
when I discovered the bugs and repaired them, the messages - sent
every minute by the cron for testing - were queued in the mailing list
database, pending confirmation of the sending address. THIS is the
part I believe is a serious flaw in the mailing list software, because
it's been proven that all a malicious user would have to do is flood
the list, then confirm the address from which they sent the messages
after the queue has been flooded, and the messages will be dispatched.
It should only hold a maximum of two messages in the queue, in my
[very] humble opinion.
The problem was that all of the messages were sitting in the queue
without my knowledge. They were not being sent from the server when
they were being received by subscribers to the list, they were being
sent by the mailing list software. This also identifies an issue that
would suggest that the mailing list system could be vulnerable to a
denial-of-service style of attack, where the queue is flooded with
thousands - even millions - of messages and doesn't dispose of them
properly.
So once again, my apologies, but I do think that the exercise
accidentally identified a security and stability issue with the list
software that should be addressed. Maybe it can be done with a
setting, but it may require a hard-coded patch. I don't know, but
hopefully someone else here does.
--
</Dan>
Daniel P. Brown
Senior Unix Geek and #1 Rated "Year's Coolest Guy" By Self Since 1979.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
