|
Bugtraq
mailing list archives
Re: Gopher attack? (not a sighting just a question)
From: Albert-Lunde () nwu edu (Albert Lunde)
Date: Mon, 27 Feb 1995 22:28:43 -0600 (CST)
I was thinking about the sendmail attack working from the inside as
opposed to the outside and it occured to me that gopher sends email
(upon request) to transmit a file to the person using the gopher server.
Could this be used (by sending the mail to another user on the gopher
server) to launch the sendmail attack as an insider? Probably not,
but I just thought I'd ask.
I'm relatively familiar with the UMN gopher software, and my impression
is that the Unix gopher client will send mail (i.e. mailing files to
oneself), but the Unix gopher server does not send mail. Exceptions
to this may occur in scripts added to process gopher+ ASK forms or
other gateways, but I don't think sending mail is required to support
the data types and gateways built into the UMN gopherd.
I'm not 100% sure of this... but a quick grep of the 2.1.3 sources
tends to confirm that references to sending mail are only in the client.
Gopher gateways and WWW CGI scripts seem like potential vulnerablities
for many systems, since they are passed around between sites but
get less checking than the main server code.
--
Albert Lunde Albert-Lunde () nwu edu
 By Date 
By Thread
Current thread:
- Lotus Notes (was Re: Sendmail Fixkit), (continued)
another Web bitchout *Hobbit* (Feb 25)
A (possibly) better way to get input integrity Dr. Frederick B. Cohen (Feb 25)
|
Intro
