From: Simon Spero <ses@tipper.oit.unc.edu>
Date: Thu, 29 Feb 1996 09:49:45 +0800
To: daw@cs.berkeley.edu
Subject: Re: fun with the web and security
In-Reply-To: <9602280905.AA16242@espresso.CS.Berkeley.EDU.mammoth>
Message-ID: <Pine.SOL.3.91.960228164915.1974D-100000@chivalry>
MIME-Version: 1.0
Content-Type: text/plain


On Wed, 28 Feb 1996, David A Wagner wrote:

> > This has been discussed a lot in the URI working groups since around 92. 
> > I think it's actually documented in the RFC
> 
> Really?  Could you give me any pointers to read up on?
> 
> I searched extensively at www.w3.org, and I did find the following
> excerpt in RFC1738 under Security Considerations:

> 
> I don't think this addresses exactly the same thing I was talking
> about-- I'm talking about a way to exploit arbitrary security holes,
> even against machines (normally) protected inside a firewall.
> 
> could still be exploited-- Ian has discovered a way to send arbitrary
> email messages with arbitrary headers to arbitrary hosts by abusing
> the mailto: URL, which should be sufficient to exploit several sendmail
> 
> So was that what you were talking about, or was there more discussion?

This is roughly  what was talked about; I seem to remember DEBUG being 
discussed with this (it's the one that takes the least typing). The URI WG 
often got so tedious and repetetitive I may have been unconscious and 
dreaming it :-)

Simon

---
They say in  online country             So which side are you on boys
There is no middle way                  Which side are you on
You'll either be a Usenet man           Which side are you on boys
Or a thug for the CDA                   Which side are you on?
  National Union of Computer Operatives; Hackers, local 37   APL-CPIO