Re: WWW Security Hole -- Bull! -- Bull!

Tony Sanders (sanders@bsdi.com)
Thu, 12 Aug 1993 19:44:01 -0500


> location of the request; say, the president or CEO or their
> company/University/etc.) and the contents of such mail sufficiently
> bad (say, brutal rape and death threats) it would not be difficult to
> envision having accounts yanked, being fired or expelled, and the like
> to happen to many people before the truth was discovered (if it ever
> was; depends how clever I was about it.)
This would never happen, a simple grep through the users files would find
the offensive data in the .mosaic-global-history file and from there it
wouldn't take a genius to figure out the rest. The site serving the
offending data would probably have their net connection yanked in short
order until things could be sorted out.

This is a good reason for browsers to keep good log files of what they do.

Also, the big problem is the behind the users back aspect of <IMG>
retrieval. At least, with normal links the user can see the URL
before clicking on it. So paranoids might want to have browsers that
let them verify non-standard requests on these.

> In general, safety is more important than functionality. Period.
> That's why we have speed limits on roads, and that's why we need this
> fix.

I agree that this should be fixed. For gopher it seems reasonable to
limit access to only ports 70 and >1024. Sites that use ports <1024 that
aren't port 70 are broken. As far as I know there is only one that matters:
doppler.ncsc.org:71, big deal (allow 70 and 71 if you want). nic.ddn.mil:43
is the other and it's just a goophy gopher/whois port, all the information
is via the whois protocol, the gopher part is just fluffy user interface.

(BTW: for those of you "worried" about WWW, you should be worried about
gopherd, it has much bigger security holes per the CERT advisory).

MarcV -- do you know of any other security holes besides gopher?
I can't think of any off the top of my head.

--sanders