Bugtraq mailing list archives
Re: Gopher attack? (not a sighting just a question)
From: Albert-Lunde () nwu edu (Albert Lunde)
Date: Mon, 27 Feb 1995 22:28:43 -0600 (CST)
I was thinking about the sendmail attack working from the inside as opposed to the outside and it occured to me that gopher sends email (upon request) to transmit a file to the person using the gopher server. Could this be used (by sending the mail to another user on the gopher server) to launch the sendmail attack as an insider? Probably not, but I just thought I'd ask.
I'm relatively familiar with the UMN gopher software, and my impression is that the Unix gopher client will send mail (i.e. mailing files to oneself), but the Unix gopher server does not send mail. Exceptions to this may occur in scripts added to process gopher+ ASK forms or other gateways, but I don't think sending mail is required to support the data types and gateways built into the UMN gopherd. I'm not 100% sure of this... but a quick grep of the 2.1.3 sources tends to confirm that references to sending mail are only in the client. Gopher gateways and WWW CGI scripts seem like potential vulnerablities for many systems, since they are passed around between sites but get less checking than the main server code. -- Albert Lunde Albert-Lunde () nwu edu
Current thread:
- Maybe *THIS* will help. *Hobbit* (Feb 24)
- Sendmail fixkit David Brownlee (Feb 25)
- Re: Sendmail fixkit bob () unix worldcom com (Feb 25)
- Lotus Notes (was Re: Sendmail Fixkit) Matthew J Brown (Feb 26)
- Re: Sendmail fixkit Christian Wettergren (Feb 27)
- Re: Sendmail fixkit (/ in addresses) David Brownlee (Feb 27)
- Gopher attack? (not a sighting just a question) Dr. Frederick B. Cohen (Feb 27)
- Re: Gopher attack? (not a sighting just a question) Mike Shaver (Feb 27)
- Re: Gopher attack? (not a sighting just a question) Albert Lunde (Feb 27)
- Re: Sendmail fixkit bob () unix worldcom com (Feb 25)
- Sendmail fixkit David Brownlee (Feb 25)
- another Web bitchout *Hobbit* (Feb 25)
- Re: another Web bitchout Stephen D. Williams (Feb 25)
- Re: A (possibly) better way to get input integrity Charles Howes (Feb 26)