[prev in list] [next in list] [prev in thread] [next in thread]
List: firewalls-gc
Subject: Re: Mosiac --
From: Ian Dunkin <imd1707 () ggr ! co ! uk>
Date: 1994-03-30 23:42:04
[Download RAW message or body]
On Wed, 30 Mar 1994, Marcus J Ranum wrote:
> I did some experimenting with xmosiac today [...]
Eric Bina of NCSA was asking on comp.infosystems.www for suggestions
from `the security minded' on ways to fix the telnet/rlogin URL hole
(see appended). It seems he was just thinking of eating a few
`dangerous' characters before the system() calls, but some people have
since asked why they do it that way at all. I'm sure he'd find your
more overall analysis very timely, as he's trying to make the necessary
changes for Mosaic 2.3.
I.
(I think a some of this stuff actually _originated_ in the CERN WWW
library code rather than at NCSA, but..)
--
Ian Dunkin <imd1707@ggr.co.uk>
--
o /
-----------------------------x------------------------------------------
O \
From: ebina@ncsa.uiuc.edu (Eric Bina)
Newsgroups: comp.infosystems.www
Subject: Question to the security minded.
Date: 29 Mar 1994 18:59:56 GMT
Message-ID: <2n9trc$hng@vixen.cso.uiuc.edu>
Here is the modification I plan on making for Mosaic 2.3 to "fix" this
security problem with telnet and rlogin URLs.
The total form of these URLs is:
telnet://user@machine:port/
tn3270://user@machine:port/
rlogin://user@machine:port/
The system command executed for telnet and tn3270 is:
xterm -e telnet machine port
The system command executed for rlogin is:
xterm -e rlogin machine port -l user
The only part of the above URLs that must appear is the machine name.
The user and port are optional.
The port isn't a problem, I just make sure it is a number.
The problems are the machine and user strings.
I am proposing to strip the following characters from those strings:
All whitespace, All quotes, single, double, or backwards, ';', '|', '<', and
'>'.
My question to you, the viewing audience is:
Will this make telnet and rlogin URLs secure?
Eric Bina
ebina@ncsa.uiuc.edu
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic