Received: with ECARTIS (v1.0.0; list gopher); Mon, 22 Jul 2002 20:25:35 -0500 (EST) Return-Path: Delivered-To: gopher@complete.org Received: from smtp-send.myrealbox.com (smtp-send.myrealbox.com [192.108.102.143]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "*.myrealbox.com", Issuer "Thawte Server CA" (not verified)) by pi.glockenspiel.complete.org (Postfix) with ESMTP id C51C83B85F for ; Mon, 22 Jul 2002 20:25:31 -0500 (EST) Received: from transa.aquarius.null aangel@smtp-send.myrealbox.com [24.171.111.62] by smtp-send.myrealbox.com with NetMail SMTP Agent $Revision: 3.9 $ on Novell NetWare via secured & encrypted transport (TLS); Mon, 22 Jul 2002 19:25:27 -0600 Subject: [gopher] Re: [Bug 71916] security problem with gopher and arbitary ports From: "Aaron J. Angel" To: gopher@complete.org In-Reply-To: <20020723010900.GA27682@complete.org> References: <200207222335.g6MNZvl09279@mothra.mozilla.org> <20020723010900.GA27682@complete.org> Content-type: text/plain Content-Transfer-Encoding: 8bit X-Mailer: Ximian Evolution 1.0.5 Date: 22 Jul 2002 20:25:05 -0500 Message-Id: <1027387505.16207.19.camel@transa.aquarius.null> Mime-Version: 1.0 X-archive-position: 666 X-ecartis-version: Ecartis v1.0.0 Sender: gopher-bounce@complete.org Errors-to: gopher-bounce@complete.org X-original-sender: aangel@myrealbox.com Precedence: bulk Reply-to: gopher@complete.org List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-ID: Gopher X-List-ID: Gopher List-subscribe: List-owner: List-post: List-archive: X-list: gopher On Mon, 2002-07-22 at 20:09, John Goerzen wrote: > > On Mon, Jul 22, 2002 at 04:35:57PM -0700, bugzilla-daemon@mozilla.org wrote: > > > The fact that gopher doesn't prepend requests with anything is the root > > cause of the problem. An attacker can attack almost any protocol through > > a gopher URL. HTTP doesn't have this problem because it preceeds requests > > with "GET ", which is unlikely to decode to legal syntax for any non-HTTP > > protocol. > > So what kind of problem is this going to cause? It's not, if people stop wasting their time fixing a nonexistant Gopher URL problem and spend more time patching their servers. > Couldn't somebody use telnet to the same effect? No, Gopher URLs don't specify anything but the server and port, to my knowledge, and so are only used to connect to the server, not to send any data to it. > If it's a buffer overflow, the extra four "GET " characters are unlikely to > be particularly helpful in mitigating the situation. It's not even that, it's a *potential* problem with other server software, not with Moz. > If you're thinking of a protocol like SMTP, servers will ignore the invalid > "GET " line and still continue reading commands looking for more. Hardly a > serious impediment. Hell, let's remove https because trying to negotiate > SSL with a server that doesn't support it could cause a denial of service to > that machine. The point was Gopher URLs and (ab)using the Gopher protocol can be used to simulate virtually any protocol, including SMTP (read down a little further on the comments, there's an example with SMTP). > What this comes down to is that you are either 1) using gopher as a > scapegoat because Mozilla's internal security is too lax to deal with remote > accesses in the first place (see bug #28327), or 2) somehow taking > responsibility for all the world's security problems in one application. > The two seem oddly contradictory. Number 2 hit it right on. > Meanwhile, you seriously hamper a useful protocol, violating standards left > and right, in a bid to be worse than IE at handling the easiest-to-handle > protocol you could come in contact with. I'm boggled. Agreed, agreed, agreed. So am I. > Tell me something: Why should we be prevented from accessing > nic.merit.edu:7043 (a useful and valuable collection of information about > Internet protocols, history, and evolution; 781,000 documents) or the > government of British Columbia, Canada (bcsc02.gov.bc.ca:65507, 149 > documents), the Hungarian Electronic Library (gopher.mek.iif.hu:7074, 8726 > documents), etc. just because of this purely theoretical vulnerability in a > third-party application, not even the fault of Gopher or Mozilla? Oooh, thank you, thank you, thank you! More Gopher sites to book mark. > You are not talking about some small corner of the 'net with only a couple > of servers. Cameron Kaiser's efforts to index Gopherspace have turned up > 7,233,660 unique and verified selectors. Gopher is still in active use, is > still useful, is still supported, is still being enhanced, is still being > actively developed, is still valuable to many, and is still important for > support in a browser. Indeed. Stolz comment was a bit premature. I wonder how many times he's actually used Gopher, or looked for Gopher servers. There are plenty out there on port 70, and plenty out there not on port 70. > If you remain concerned about the possibilities of the gopher protocol, > despite the fact that Bradley Baetz wrote over a year ago that "We could now > remove the port 70 restriction", I would be happy to work with you to > develop a less-Draconian solution, one that is less likely to cause such > harm. There are many options -- the simplest being a confirmation box with > a checkmark for "don't show me this again". Indeed. Restricting something permenently like that, when it's not even a bug, is just wrong. The user should be able to use the software, and that's clearly not the case with Gopher. I think I'll go check up on bug reports, and see if one hasn't already been submitted regarding the buggy Gopher URL bugfix. -- Aaron J. Angel