Re: solution time for www/smtp hole
rhb@hotsand.att.com
From: rhb@hotsand.att.com
Date: Thu, 12 Aug 93 21:11:43 EDT
Original-From: hotsand!rhb (Rich Brandwein)
Message-id: <9308130111.AA17898@hotsand.dacsand>
To: www-talk@nxoc01.cern.ch
Subject: Re: solution time for www/smtp hole
Cc: hotsand!ellson@dxmint.cern.ch
Status: RO
> Thus wrote:
> >OK, let's bring this thing to a close.
> >
> >How about we start disallowing Gopher connections to anything other
> >than 70 and 71 (some Gopher servers use the latter), HTTP connections
> >to anything other than 80, Z39.50 and 210, and NNTP connections to
> >anything other than (whatever the NNTP port is), etc. -- except for
> >>1024, which is wide open.
>
> In general, I think it's safe to assume ports >1024 are OK. There are
> a few strange ways of using them I can imagine (e.g. sending malicious
> code to somebody's X server) but my off-the-top-of-my-head opinion is
> that they're not a real problem.
>
> There are some low ports that people use, but they generally follow
> the "real" ones by small values (e.g. additional HTTP ports are often
> 81, 82, 83, Ohio State uses these if I recall correctly, and
> additional gopher ports are often 71 as you mention.)
>
> >Is that sufficient to make AT&T and MvH happy? Does it cause any
> >impact on *current* functionality?
All sounds great. We were going to just disallow strange ports as per
Bill Perry's suggestion, but this sounds better. A side effect
of this could be to improve WWW's showings on the net use charts
(which go by specific ports).
We've compiled pre-release 3 and it has some niceities (specifically
the handling of search pages and the cache clearing under navigate).
Hopefully we can ship this out tomorrow with the security patch (of
course deemphasizing the latter) and move on to more positive stuff.
Thanks to all for the timely fix!
Rich Brandwein