Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!linus!decvax!tektronix!hplabs!sri-unix!RCONN@Simtel20.ARPA
From: RCONN@Simtel20.ARPA
Newsgroups: net.micro.cpm
Subject: [JFORREST: RBBS/ZCPR2]
Message-ID: <12219@sri-arpa.UUCP>
Date: Wed, 8-Aug-84 13:35:00 EDT
Article-I.D.: sri-arpa.12219
Posted: Wed Aug  8 13:35:00 1984
Date-Received: Fri, 10-Aug-84 08:14:22 EDT
Lines: 34

From:  Richard Conn 

FYI - this is the message I responded to in my comments about security
under ZCPR3. -- Rick

Date: Wednesday, 8 August 1984  06:30-MDT
From: Jim Forrest 
To:   KPETERSEN at SIMTEL20.ARPA
cc:   JFORREST at SIMTEL20.ARPA
Re:   RBBS/ZCPR2
ReSent-From: KPETERSEN@SIMTEL20
ReSent-To: RCONN
ReSent-Date: Wed 8 Aug 1984 07:14-MDT

Keith

Found a serious weakness in security

With user areas restricted to 0-9, a user in 0: can type:

11:sweep2

Then can use sweep to go to any user area as it over-rides bye limits

I have tried protect and password (whatever correct names are) to no
avail.

Possibly I have bye set for cpm 2.2 and not zcpr2 or nzcpr2. I am
using version of zcpr2 set up for security that eliminates some
commands. I was not sure which to use in bye as I had some trouble
when I set on zcpr2 or nzpr2. That may be due to difference in max
user set with genins and max user set in bye.

Jim