Re: WWW Security Hole -- Bull! -- Bull!

Tony Sanders <>
Message-id: <9308130044.AA16246@austin.BSDI.COM>
Subject: Re: WWW Security Hole -- Bull! -- Bull! 
In-Reply-To: Marc VanHeyningen's message of Thu, 12 Aug 93 16:46:53 CDT.
Organization: Berkeley Software Design, Inc.
Date: Thu, 12 Aug 1993 19:44:01 -0500
From: Tony Sanders <>
Status: RO
> location of the request; say, the president or CEO or their
> company/University/etc.) and the contents of such mail sufficiently
> bad (say, brutal rape and death threats) it would not be difficult to
> envision having accounts yanked, being fired or expelled, and the like
> to happen to many people before the truth was discovered (if it ever
> was; depends how clever I was about it.)
This would never happen, a simple grep through the users files would find
the offensive data in the .mosaic-global-history file and from there it
wouldn't take a genius to figure out the rest.  The site serving the
offending data would probably have their net connection yanked in short
order until things could be sorted out.

This is a good reason for browsers to keep good log files of what they do.

Also, the big problem is the behind the users back aspect of <IMG>
retrieval.  At least, with normal links the user can see the URL
before clicking on it.  So paranoids might want to have browsers that
let them verify non-standard requests on these.

> In general, safety is more important than functionality.  Period.
> That's why we have speed limits on roads, and that's why we need this
> fix.

I agree that this should be fixed.  For gopher it seems reasonable to
limit access to only ports 70 and >1024.  Sites that use ports <1024 that
aren't port 70 are broken.  As far as I know there is only one that matters:, big deal (allow 70 and 71 if you want).
is the other and it's just a goophy gopher/whois port, all the information
is via the whois protocol, the gopher part is just fluffy user interface.

(BTW: for those of you "worried" about WWW, you should be worried about
gopherd, it has much bigger security holes per the CERT advisory).

MarcV -- do you know of any other security holes besides gopher?
I can't think of any off the top of my head.