mailing list archives
Re: 3Com SuperStack 3 Firewall Content Filter Exploitable Via Telnet
From: der Mouse <mouse () Rodents Montreal QC CA>
Date: Wed, 5 Mar 2003 21:14:38 -0500 (EST)
C:\>telnet www.blockedsite.com 80
GET / HTTP/1.1
Given the nature of Telnet, the request is sent to the server one
character at a time;
Actually, in these situations, telnet works line-based.
In those situations (where character-at-a-time has not been negotiated
on), telnet is _supposed_ to work line-based.
Unfortunately - see that "C:\>"? - most wintel telnets were written by
people who either didn't understand the standard or were incompetent to
follow it (or perhaps just couldn't be bothered? I dunno) and use
character-at-a-time mode even when it hasn't been negotiated on.
That's also why backspace works (modulo matching terminal emulator
and stty settings).
In wintel telnets, backspace often _doesn't_ work, because of exactly
that, though it may look like it when typing because the echo of the
0x08 octet (whichever end generates the echo) makes the cursor move
I know all this because I am server code wiz for a mud, and I've hacked
in kludges to work around some of the most egregious problems I've seen
in various telnets. (All the problematic telnets have come from an
infamous company based in Redmond, oddly enough.) Mercifully, one of
the other people who uses that mud (a) muds from Windows and (b) is
technically clued, an odd combination but one that's useful when
testing such things.)
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse () rodents montreal qc ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B