Re: WWW Security Hole -- Bull!

Tony Sanders <sanders@bsdi.com>

Mail folder: WWW Talk Jul-Oct 1993
Next message: rhb@hotsand.att.com: "Re: solution time for www/smtp hole"
Previous message: Marc VanHeyningen: "Re: solution time for www/smtp hole "
In-reply-to: rhb@hotsand.att.com: "Re: WWW Security Hole -- Bull!"
Reply: Lars-Gunnar Olsson: "Re: WWW Security Hole -- Bull! "
Reply: Lars-Gunnar Olsson: "Re: WWW Security Hole -- Bull! "

Errors-To: sanders@bsdi.com
Errors-To: sanders@bsdi.com
Message-id: <9308130056.AA16337@austin.BSDI.COM>
To: www-talk@nxoc01.cern.ch
Subject: Re: WWW Security Hole -- Bull! 
In-reply-to: rhb@hotsand.att.com's message of Thu, 12 Aug 93 19:45:33 EDT.
Errors-To: sanders@bsdi.com
Reply-To: sanders@bsdi.com
Organization: Berkeley Software Design, Inc.
Date: Thu, 12 Aug 1993 19:56:10 -0500
From: Tony Sanders <sanders@bsdi.com>
Status: RO

> 	
> 	What WWW (and also Gopher) offers is something without precedent a few
> 	years ago; a very general ability to pass around objects which, when
> 	received, cause someone else to perform a particular network
> 	transaction without being specifically aware of doing so, potentially
> 	turning clients into gateways.  Is it so surprising that there are new
> 	security concerns?  I'm amazed (and pleased) there have been so few
> 	problems.
> 	
> 	- Marc
> 	--
> 	Marc VanHeyningen  mvanheyn@cs.indiana.edu  MIME, RIPEM & HTTP spoken here
> 						    ^^^^
> Don't take this wrong (i.e., from the tone of the last two messages), but what
> about MIME??!  The MIME/ghostview security hole was potentially much more devastating than
> the one you've uncovered for many reasons.  From your analysis, I would say that we should
> throw out MIME...

No, we should throw out application/postscript or fix ghostscript.

So throw out gopher or fix it.

--sanders