From: Rich Graves <llurch@networking.stanford.edu>
Date: Sat, 30 Mar 1996 20:21:07 +0800
To: Tom Weinstein <tomw@netscape.com>
Subject: Re: Netscape 2.01 fixes server vulnerabilities by breaking the client...
In-Reply-To: <315C8FCB.2781@netscape.com>
Message-ID: <Pine.SUN.3.92.960329181511.15466A-100000@elaine17.Stanford.EDU>
MIME-Version: 1.0
Content-Type: text/plain


On Fri, 29 Mar 1996, Tom Weinstein wrote:

> It may be unpleasant, but it's a fact that there was a real security
> hole here.  There is a well known buffer overrun bug in finger that a
> lot of people inside firewalls haven't fixed.  Using gopher: URLs
> in IMG tags it was possible to do nasty things.  We tried to err on
> the side of permissivity, but finger was one port we just couldn't
> allow.  Yes, it sucks.  So does someone reaching through your firewall
> and running commands as root.

How about limiting URLs on non-blessed ports to, say, 64 alphanumeric
characters? I'm sure the documentation writers and technical support
folks would hate you, but it should address these concerns.

-rich