Re: fun with the web and security

[Simon Spero <ses@tipper.oit.unc.edu>]

On Wed, 28 Feb 1996, David A Wagner wrote:

> > This has been discussed a lot in the URI working groups since around 92. 
> > I think it's actually documented in the RFC
> 
> Really?  Could you give me any pointers to read up on?
> 
> I searched extensively at www.w3.org, and I did find the following
> excerpt in RFC1738 under Security Considerations:

> 
> I don't think this addresses exactly the same thing I was talking
> about-- I'm talking about a way to exploit arbitrary security holes,
> even against machines (normally) protected inside a firewall.
> 
> could still be exploited-- Ian has discovered a way to send arbitrary
> email messages with arbitrary headers to arbitrary hosts by abusing
> the mailto: URL, which should be sufficient to exploit several sendmail
> 
> So was that what you were talking about, or was there more discussion?

This is roughly  what was talked about; I seem to remember DEBUG being 
discussed with this (it's the one that takes the least typing). The URI WG 
often got so tedious and repetetitive I may have been unconscious and 
dreaming it :-)

Simon

---
They say in  online country             So which side are you on boys
There is no middle way                  Which side are you on
You'll either be a Usenet man           Which side are you on boys
Or a thug for the CDA                   Which side are you on?
  National Union of Computer Operatives; Hackers, local 37   APL-CPIO