[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Netscape 2.01 fixes server vulnerabilities by breaking the client...
(This was previously posted to cypherpunks list, I have expanded the
distribution to the firewalls list due to the content.)
In Article: <[email protected]>, Tom Weinstein <[email protected]> wrote:
# Rich Graves wrote:
# >
# > Now I suppose they'll want me to fix all the pages where I do a finger
# > with a gopher://host:79/0user Any chance this nonfix can be unfixed?
# >
# > This nonfix was applied to the UNIX and Win32 versions; I haven't
# > checked the other platforms.
# It may be unpleasant, but it's a fact that there was a real security
# hole here. There is a well known buffer overrun bug in finger that a
# lot of people inside firewalls haven't fixed. Using gopher: URLs
# in IMG tags it was possible to do nasty things. We tried to err on
# the side of permissivity, but finger was one port we just couldn't
# allow. Yes, it sucks. So does someone reaching through your firewall
# and running commands as root.
Let's look at this from the perspective of a company with a firewall:
Q: Do I want my users dictating what's allowed?
A: Probably not.
Q: Do I want my software vendors dictating what's allowed?
A: Maybe not.
Real Q1: When are sun/netscape/browser-vendor-x going to provide
standardized, secure, multi-teired configuration options?
Real Q2: It seams to me that most of the standard TCP protocols that a
gopher client can talk to should have similarly standard protocol-specifiers
for the URL. Browser vendors are in a perfect position to say "this lack
of synchronization is a real problem" and "It's bitten us already" and to
take care of the problem by proposing RFCs.
Real Q3: (Somewhat off-topic) when are signed applets going to appear?
comprehensive standards coupled with multi-teired configuration options
would allow real-world customers and their net-neighbors to sleep a little
better at night.
--
[email protected]