Re: WWW Security Hole -- Bull!

Keith Moore <moore@cs.utk.edu>

Mail folder: WWW Talk Jul-Oct 1993
Next message: Marc VanHeyningen: "Re: solution time for www/smtp hole "
Previous message: Rob Raisch: "Re: solution time for www/smtp hole"
In-reply-to: rhb@hotsand.att.com: "Re: WWW Security Hole -- Bull!"

Message-id: <9308130341.AA00572@thud.cs.utk.edu>
From: Keith Moore <moore@cs.utk.edu>
To: rhb@hotsand.att.com
Cc: Marc VanHeyningen <att!att!nxoc01.cern.ch!daemon@dxmint.cern.ch>,
        www-talk@nxoc01.cern.ch, moore@cs.utk.edu
Subject: Re: WWW Security Hole -- Bull! 
In-reply-to: Your message of "Thu, 12 Aug 1993 19:45:33 EDT."
             <9308122345.AA17389@hotsand.dacsand> 
Date: Thu, 12 Aug 1993 23:41:44 -0400
Sender: moore@cs.utk.edu
Status: RO

To:  Marc VanHeyningen <att!att!nxoc01.cern.ch!daemon@dxmint.cern.ch>,
            www-talk@nxoc01.cern.ch
Subject:  Re: WWW Security Hole -- Bull!
Date:  Thu, 12 Aug 93 19:45:33 EDT

> Don't take this wrong (i.e., from the tone of the last two messages), but 
> what about MIME??!  The MIME/ghostview security hole was potentially 
> much more devastating than the one you've uncovered for many reasons. 
> From your analysis, I would say that we should throw out MIME...

I beg your pardon.  MIME itself doesn't have a ghostview security hole.  The
MIME spec has a long section on the security risks assocaited with the
application/postscript content-type.  (No doubt some will say that MIME
should not have allowed a postscript type at all due to the inherent
security hazards...)

The gopher security problem is just an example of why any content-type needs
to be scrutinized for security holes, before using it.

Keith Moore