From: Rick Osborne <osborne@gateway.grumman.com>
Date: Thu, 17 Oct 1996 19:13:30 -0700 (PDT)
To: cypherpunks mailing list <cypherpunks@toad.com>
Subject: [NOISE::SECURITY] Disabled ports in Navigator
Message-ID: <3.0b36.32.19961017221127.00691b88@gateway.grumman.com>
MIME-Version: 1.0
Content-Type: text/plain


I was thinking about how to fix a sendmail program for our server when the
(most likely unoriginal) thought cam to me:  why not use your web broser as
a telnet tool?  You could embed CRLFs into the request field and the
receiving program would just throw the GET /[etc] out like I messed up or
something.  I could then add subsequent logins & commands to my heart's
content (or the string length of that particular browser's request field).
Being behind a firewall, I tend to think of these things. The only problem
would be with the fact that no EOL is ever sent, but with a good browser
that displays as content is streamed, you wouldn't have to worry about that.

Like I said, I doubt it's original because when I tried to do it in
Navigator I get a

Sorry, Access to the port number given has been disabled for security reasons.

error dialog.  I got this for all of the obvious ports (21,25,110, etc).

I only have 3.0 on my machine, so I don't know if it works with previous
versions.  MSIE3 doesn't disable the ports, but it doesn't start displaying
anything (it suffers from the stupidity of not displaying as it streams).

Has anyone else personally tried this?  My original idea was to see my home
email, with something like:

http://mail.here.com:110/user%20me%0D%0Apass [... etc]

Any comments, suggestions, etc?


Rick Osborne / C++ VB Pascal HTML VRML Java / osborne@gateway.grumman.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The NSA is now funding research not only in cryptography, but in all
areas of advanced mathematics. If you'd like a circular describing these
new research opportunities, just pick up your phone, call your mother,
and ask for one.