Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Gopher attack? (not a sighting just a question)

From: Albert-Lunde () nwu edu (Albert Lunde)
Date: Mon, 27 Feb 1995 22:28:43 -0600 (CST)


I was thinking about the sendmail attack working from the inside as
opposed to the outside and it occured to me that gopher sends email
(upon request) to transmit a file to the person using the gopher server.
Could this be used (by sending the mail to another user on the gopher
server) to launch the sendmail attack as an insider?  Probably not,
but I just thought I'd ask.


I'm relatively familiar with the UMN gopher software, and my impression
is that the Unix gopher client will send mail (i.e. mailing files to
oneself), but the Unix gopher server does not send mail.  Exceptions
to this may occur in scripts added to process gopher+ ASK forms or
other gateways, but I don't think sending mail is required to support
the data types and gateways built into the UMN gopherd.

I'm not 100% sure of this...  but a quick grep of the 2.1.3 sources
tends to confirm that references to sending mail are only in the client.

Gopher gateways and WWW CGI scripts seem like potential vulnerablities
for many systems, since they are passed around between sites but
get less checking than the main server code.

-- 
    Albert Lunde                      Albert-Lunde () nwu edu
Previous By Date Next
Previous By Thread Next

Current thread: