This concern is no longer academic. Check out the document
http://cs.indiana.edu/security-demo.html
for a pointer to a document I consider somewhat dangerous. I only
know that this security hole will work in Xmosaic; haven't tested
other browsers but it seems reasonable to assume any browser with the
standard lib is vulnerable.
What does it do? It uses the gopher: scheme to cause your client to
attach to your local SMTP server and send a mail message to "root" on
your machine. The message is innocent but in principle it could be to
anyone and say anyone, and it would be tracable to you (depending what
kind of security logging your system does.)
A few questions:
- Is plain gopher sans WWW vulnerable to this same problem? Do they
know about it? If not, telling them (and also CERT) would be a good idea.
- How do we fix this? (Just throwing in a minor patch for this
particular attack is no good; we need a general solution for making
sure that a gopher: URL actually points to a gopher server.)
WWW should be a safe place, where I can just point a beginner and have
him wander around. This needs to be fixed, fast.
-- (Gee, wonder how many dozen copies of this will show up in my mailbox. Can someone <STRONG><STRONGER>PLEASE</STRONGER></STRONG> gateway the list into the newsgroups already, so we can use a sane discussion mechanism instead of this?)- Marc
-- Marc VanHeyningen [email protected] MIME, RIPEM & HTTP spoken here