PK> If I remember correctly, Scott was a little worried 
 PK> about one aspect of the QWK environment that _MIGHT_ 
 PK> allow a QWK user to do "bad things" to the BBS, the end 
 PK> result was part of the reason for the hard coded menu 
 PK> name. I really wish I still had his reply, it was quite 
 PK> involved...

 PK> As for proposing something, well I don't know, I guess 
 PK> it depends on how configurable the system is in that 
 PK> area and what dangers may exist for external data (IE a 
 PK> QWK packet) to modify the way the BBS worked.

 BS> Hmm.. Okay I really can't see how it should affect 
 BS> this.. I mean then you're uploading a QWK package, 
 BS> Maximus is only reading the package, and if it's good 
 BS> then it stores it to the message base..

 BS> Nothing is beeing executed or so..

If you have path names enabled on your decompression of the QWK archive,
you can get into trouble....  But someone would have to think about the
path structure to clobber something.  QWK packets are unpacked relative to
the running BBS control files, so with the right relative path in a
compressed, uploaded QWK mail packet, you could over write a control file,
or something else equally important....

That's why directory structures need to get suppressed when unarchiving stuff

Also there were issues to make sure QWK uploads observed the privilage
restrictions on users that are part of the rest of the BBS.....

Take care.....

Bob Jones, 1:343/41


--- Maximus/2 3.01