WWW Security Hole

Marc VanHeyningen <mvanheyn@cs.indiana.edu>
From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>
To: www-talk@nxoc01.cern.ch, marca@ncsa.uiuc.edu
Subject: WWW Security Hole
Date: Thu, 12 Aug 1993 10:44:00 -0500
Message-id: <24166.745170240@moose.cs.indiana.edu>
Sender: mvanheyn@cs.indiana.edu
Status: RO
I always suspected there might be a problem with the WWW paradigm
regarding security; specifically, what if one of the protocols is
general enough that commands specified in it could be legal for some
other protocol?

This concern is no longer academic.  Check out the document 


for a pointer to a document I consider somewhat dangerous.  I only
know that this security hole will work in Xmosaic; haven't tested
other browsers but it seems reasonable to assume any browser with the
standard lib is vulnerable.

What does it do?  It uses the gopher: scheme to cause your client to
attach to your local SMTP server and send a mail message to "root" on
your machine.  The message is innocent but in principle it could be to
anyone and say anyone, and it would be tracable to you (depending what
kind of security logging your system does.)

A few questions:

- Is plain gopher sans WWW vulnerable to this same problem?  Do they
  know about it?  If not, telling them (and also CERT) would be a good idea.

- How do we fix this?  (Just throwing in a minor patch for this
  particular attack is no good; we need a general solution for making
  sure that a gopher: URL actually points to a gopher server.)

WWW should be a safe place, where I can just point a beginner and have
him wander around.  This needs to be fixed, fast.
(Gee, wonder how many dozen copies of this will show up in my mailbox.
list into the newsgroups already, so we can use a sane discussion
mechanism instead of this?)

- Marc
Marc VanHeyningen  mvanheyn@cs.indiana.edu  MIME, RIPEM & HTTP spoken here