|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Gopher attack? (not a sighting just a question)
Albert Lunde (Albert-Lunde
nwu.edu)Mon, 27 Feb 1995 22:28:43 -0600 (CST)
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Robert M. Haas: "Re: Sendmail fixkit"
- Previous message: Peter Wemm: "Re: snooper watchers"
- In reply to: Dr. Frederick B. Cohen: "Gopher attack? (not a sighting just a question)"
> I was thinking about the sendmail attack working from the inside as
> opposed to the outside and it occured to me that gopher sends email
> (upon request) to transmit a file to the person using the gopher server.
> Could this be used (by sending the mail to another user on the gopher
> server) to launch the sendmail attack as an insider? Probably not,
> but I just thought I'd ask.
I'm relatively familiar with the UMN gopher software, and my impression
is that the Unix gopher client will send mail (i.e. mailing files to
oneself), but the Unix gopher server does not send mail. Exceptions
to this may occur in scripts added to process gopher+ ASK forms or
other gateways, but I don't think sending mail is required to support
the data types and gateways built into the UMN gopherd.
I'm not 100% sure of this... but a quick grep of the 2.1.3 sources
tends to confirm that references to sending mail are only in the client.
Gopher gateways and WWW CGI scripts seem like potential vulnerablities
for many systems, since they are passed around between sites but
get less checking than the main server code.
--
Albert Lunde Albert-Lundenwu.edu
- Next message: Robert M. Haas: "Re: Sendmail fixkit"
- Previous message: Peter Wemm: "Re: snooper watchers"
- In reply to: Dr. Frederick B. Cohen: "Gopher attack? (not a sighting just a question)"