Netscape 2.01 fixes server vulnerabilities by breaking the client...
Now I suppose they'll want me to fix all the pages where I do a finger with a gopher://host:79/0user. Any chance this nonfix can be unfixed? This nonfix was applied to the UNIX and Win32 versions; I haven't checked the other platforms. -rich
From http://home.netscape.com/eng/mozilla/2.01/relnotes/unix-2.01.html go to the security stuff and find:
* Relating to Ports:
2.01 fixes a problem where it was possible for a Gopher URL to be used to send commands to ports other than those that were reasonable for the Gopher service. It was possible that this feature could be used to exploit other security vulnerabilities behind firewalls. Navigator 2.01 fixes this problem by limiting the ports that a Gopher URL can access and by disallowing certain control characters in a valid Gopher URL.
Rich Graves wrote:
Now I suppose they'll want me to fix all the pages where I do a finger with a gopher://host:79/0user Any chance this nonfix can be unfixed?
This nonfix was applied to the UNIX and Win32 versions; I haven't checked the other platforms.
It may be unpleasant, but it's a fact that there was a real security hole here. There is a well known buffer overrun bug in finger that a lot of people inside firewalls haven't fixed. Using gopher: URLs in IMG tags it was possible to do nasty things. We tried to err on the side of permissivity, but finger was one port we just couldn't allow. Yes, it sucks. So does someone reaching through your firewall and running commands as root. -- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw@netscape.com
Phil Karlton wrote:
Rich Graves wrote:
How about limiting URLs on non-blessed ports to, say, 64 alphanumeric characters? I'm sure the documentation writers and technical support folks would hate you, but it should address these concerns.
This is not good enough. Many people, feeling secure on their side of a firewall, put proprietary information in their .plan files. Since the the Navigator is running inside that firewall, we can't give access to that data to sources coming from outside the firewall. Given the many ways to construct a URL, the safest was to prevent any access to the finger port (along with a number of others).
Of course, this isn't really a good reason because there's no way to get the information back out to the other side of the firewall. As a matter of fact, limiting URLs as Rich suggests might in fact be good enough. It's one of the possibilities we'll be looking at for reenabling finger and whois. -- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw@netscape.com
Rich Graves wrote:
How about limiting URLs on non-blessed ports to, say, 64 alphanumeric characters? I'm sure the documentation writers and technical support folks would hate you, but it should address these concerns.
This is not good enough. Many people, feeling secure on their side of a firewall, put proprietary information in their .plan files. Since the the Navigator is running inside that firewall, we can't give access to that data to sources coming from outside the firewall. Given the many ways to construct a URL, the safest was to prevent any access to the finger port (along with a number of others). PK -- Philip L. Karlton karlton@netscape.com Principal Curmudgeon http://home.netscape.com/people/karlton Netscape Communications They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin
On Fri, 29 Mar 1996, Tom Weinstein wrote:
It may be unpleasant, but it's a fact that there was a real security hole here. There is a well known buffer overrun bug in finger that a lot of people inside firewalls haven't fixed. Using gopher: URLs in IMG tags it was possible to do nasty things. We tried to err on the side of permissivity, but finger was one port we just couldn't allow. Yes, it sucks. So does someone reaching through your firewall and running commands as root.
How about limiting URLs on non-blessed ports to, say, 64 alphanumeric characters? I'm sure the documentation writers and technical support folks would hate you, but it should address these concerns. -rich
participants (3)
-
Phil Karlton -
Rich Graves -
Tom Weinstein