I have to believe that if someone can hack a hole in your nntp server,
they can also just hack a shell onto it, even if its hidden behind a
firewall with a proxy nntp on it. That is, if there is some hole that
allows arbritary shell commands to be passed, wouldn't "exec /bin/sh"
be a good one? :-)
INN is careful to only run shell commands found in PATH_CONTROLPROGS or
PATH_RNEWSPROGS, safety is designed in. I haven't looked at Cnews in
the past year, but I doubt Henry or Geoff would allow anything that
exploitable past their careful eyes.
You should be more worried about the code your vendor ships you. You
(probably) don't have the source for that, so you can't read it.
Brent's comment does apply. The sun.* groups have leaked more than
once. (And yes, it was my fault, though they didn't leak off the
firewall, but rather via UUCP to a local site (connected via another