[25797] in bugtraq
Re: Flawed workaround in MS02-027 -- gopher can run on _any_ port, not
daemon@ATHENA.MIT.EDU (Mikael Olsson)
Fri Jun 14 16:23:04 2002
Message-ID: <3D09971C.34643010@clavister.com>
Date: Fri, 14 Jun 2002 09:11:24 +0200
From: Mikael Olsson <mikael.olsson@clavister.com>
MIME-Version: 1.0
To: Jim Paris <jim@jtan.com>
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Jim Paris wrote:
>
> Have you actually tried this?
I believe the question is: have _you_ actually tried this?
> On all versions I've tried and from what I've read elsewhere on the
> Net, MSIE doesn't work at all with gopher ports other than 70.
It works just fine. That is: the _first_ connection works just fine.
What _doesn't_ work is clicking around inside a gopher site on a non-
standard port, since after the first connection, MSIE promptly forgets
about the port number we gave it in the original URL, and connects to
port 70.
However, all an attacker needs is that first connection. :/
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
