[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fun with the web and security

To: [email protected]
Subject: Re: fun with the web and security
From: Bill Stewart <[email protected]>
Date: Thu, 29 Feb 1996 00:45:42 -0800
Cc: [email protected]
Sender: [email protected]

At 06:38 PM 2/27/96 -0800, you wrote:
>Here's a fun way to exploit security holes via the web:
>	http://www.cs.berkeley.edu/~daw/js1.html
>A rough representation of its contents follow.

Well, that was amusing.  (It gophered to localhost:25 and sent
some mail and attempted to exploit a traditional sendmail bug.)
I was wondering what would happen, since I'm behind a firewall
and don't _have_ an SMTP listener on port 25, nor does my PC really
do localhost in any useful manner.  What happened, of course,
was that Netscape used my proxy settings for gopher,
sent the request to the firewall, and tried to connect to localhost:25 there;
it answered, accepted some mail for delivery, then
503 Need MAIL before RCPT
503 Need MAIL command
500 Command unrecognized
                ... many of these
500 Command unrecognized
501 Syntax error in parameters scanning "root@localhost"
500 Command unrecognized
500 Command unrecognized
500 Command unrecognized
221 [MY PROXY MACHINE'S NAME]. closing connection


Good stuff.  (And I assume the proxy server had the debug hole blocked...)




#--
#				Thanks;  Bill
# Bill Stewart, [email protected] / [email protected] +1-415-442-2215
# http://www.idiom.com/~wcs     Pager +1-408-787-1281

Prev by Date: Re: PGP to PC mail integration
Next by Date: Re: S/MIME outside the US?
Prev by thread: Re: fun with the web and security
Next by thread: Anyone else getting these?
Index(es):
- Date
- Thread