[gopher] FW: [Bug 71916] security problem with gopher and arbitary ports

[John Goerzen <jgoerzen@xxxxxxxxxxxx>]

----- Forwarded message from bugzilla-daemon@xxxxxxxxxxx -----

From: bugzilla-daemon@xxxxxxxxxxx
Date: Mon, 22 Jul 2002 19:00:49 -0700 (PDT)
To: jgoerzen@xxxxxxxxxxxx
Subject: [Bug 71916] security problem with gopher and arbitary ports

http://bugzilla.mozilla.org/show_bug.cgi?id=71916





------- Additional Comments From jgoerzen@xxxxxxxxxxxx  2002-07-22 19:00 -------
I'd also like to highlight some other statements made in this bug.


The original report states that this could not be a problem with HTTP or FTP 
because of the header.  This is not so.  Plenty of protocols could be 
made to easily ignore that header (SMTP for one, NNTP for another, with IMAP, 
it would actually be perfectly valid "GET LOGIN foo bar" is a login 
IMAP command).  So the original premise that this is only a Gopher problem is 
flawed.  Therefore, the conclusion that "gopher should be singled out" 
is equally flawed.


Mitchell Stoltz asserted that there are "infintessimally few" running on 
nonstandard ports.  I have shown you, in about 3 minutes of searching, over 
a million documents located on nonstandard ports in Gopherspace.


Bradley, you yourself say this is exploitable with HTTP.  Another reason that 
it seems weird to single-out Gopher.


Plenty of people want to run software on non-privileged ports for various 
reasons, including security.

----- End forwarded message -----

-- 
John Goerzen <jgoerzen@xxxxxxxxxxxx>    GPG: 0x8A1D9A1F    www.complete.org