17 Dec
2003
17 Dec
'03
11:17 p.m.
On Fri, 29 Mar 1996, Tom Weinstein wrote:
It may be unpleasant, but it's a fact that there was a real security hole here. There is a well known buffer overrun bug in finger that a lot of people inside firewalls haven't fixed. Using gopher: URLs in IMG tags it was possible to do nasty things. We tried to err on the side of permissivity, but finger was one port we just couldn't allow. Yes, it sucks. So does someone reaching through your firewall and running commands as root.
How about limiting URLs on non-blessed ports to, say, 64 alphanumeric characters? I'm sure the documentation writers and technical support folks would hate you, but it should address these concerns. -rich