WWW Security Hole

George Phillips (phillips@cs.ubc.ca)
12 Aug 93 11:56 -0700


Well, there's no way you can tell that a URL points to a gopher server
(or a HTTP server or an FTP server or an NNTP server). Unless you
restrict gopher URLs to port 70, HTTP to port 80, etc.

Gopher is less vulnerable to this problem since you'll only be able to
convice it to send a single line to an arbitrary port.

You can avoid most of the problem by not letting the browsers translate
% escapes into newlines and carriage returns. That won't restrict
your access to gopherspace. While you're at it you may as well not
translate %09 into tab. The change to xmosaic 1.2 is trivial: hack
de_escape() in HTGopher.c. It is equally easy (the same?) for libwww2.

The gopher URL will still let you send almost any single line of text
to any port on any machine, but you have to allow that if you want
to talk gopher. The lack of translation on HTTP URLs limits the
danger, but you can almost get away with

<A HREF="/garbage
MAIL FROM: <gopher-user>
and so on
">mail it</A>

Certainly something to be careful of. This problem could exist for FTP
and other protocols, but they don't do translation of funny characters.
This is a bug and when that bug is fixed they'll also have to be careful
of CR and LF sneaking in there.

-- George