Subj : Re: WEB Access BBSes
To   : haliphax
From : Jon Watson
Date : Wed Oct 27 2004 09:05 am

======>>> haliphax, 1:2800/18 wrote:

Originally to: Jon Watson

JW> What's the hole? I don't see it. If you're referring to the ability for a 
JW> person to use another person's name on another node, that's nothing new or
JW> specific to web bbses....

wow. that is quite a security flaw. isn't that something that can be easily
fixed? apparently, it happened by accident in this case (in michael's case)..

i know it's not that hard to do in php, anyway.

-todd

|07     --haliphax |15//|07rMRS
|02      cotm.dyndns.org
|07       vanguard mods


<<<====== end quote


See, I must be misunderstanding. Here's what I'm talking about:

I have an account on BBS A as Jon Watson. I'm a mean-spirited bastard, so I go 
to BBS B and create a new account under your name. Now any messages I post from 
BBS B appear to come from you and unless someone is cognizant enough to notice 
that your node number has changed, you would get blamed for everything I post.

This isn't a security issue per se; it's an artifact of running individual, 
unconnected systems.

Surely we're talking about two different things, no?

Jon

-FOTW: read your
Fidonet On The Web!
http://www.theheatsinkbbs.ca :=-
--- Internet Rex 2.29
 * Origin: The gateway at The HeatSink BBS  (1:134/703)

.