[3930] in WWW Security List Archive
Re: Potential Gopher Exploit (fwd)
daemon@ATHENA.MIT.EDU (Hallam-Baker)
Tue Dec 31 10:13:19 1996
From: Hallam-Baker <hallam@ai.mit.edu>
To: bwc0003@jove.acs.unt.edu (Benjamin Wayne Camp)
Date: Tue, 31 Dec 1996 07:50:27 -0500 (EST)
Cc: www-security@ns2.rutgers.edu, aisecur!HReilly@bpd.treas.gov
In-Reply-To: <Pine.GSO.3.95.961228012134.26249B-100000@jove.acs.unt.edu> from "Benjamin Wayne Camp" at Dec 28, 96 01:23:13 am
Errors-To: owner-www-security@ns2.rutgers.edu
Its a very well known, very old problem with Gopher. Basically
nobody has any business allowing gopher connections to ports other
than the standard assigned gopher port. There are a whole rack of problems
that gopher URLs open up.
At the time gopher support was important because there were more
gopher servers than HTTP servers. Unfortunately the Gopher people
were not very open to changes in their protocol to make URLs safe,
they insisted on a bizare interpretation of slash \ which in a Gopher
URL does not denote a hierarchical division simply to allow for
corner problems on MACs without extra code.
At this point my recommendation would be not to support Gopher at
all. I don't know of any advantages of Gopher over HTTP and I know
of plenty of security problems. The installed base is insignificant at this
point and declining.
Phill
