>Since February, 1994, firewalls have been "safely permeable" for World Wide
>Web (WWW) clients via an application level proxy. Proxy support is built
"Safely"? I don't think so. There was some talk a while ago on this
list about mosaic (and, perhaps, lynx) having serious security holes.
Something about using system() indiscriminately, something like:
{
char cmd[1024];
sprintf(cmd,"more %s",filename);
system(cmd);
}
where filename is provided by the http page you're reading. If
filename is "foo ; otherCmd", first you see what you expect, then
otherCmd is executed *as you*. With some trickiness, otherCmd can be
used to compromise your system, or at least your own account, and send
a notification to the slime who wrote it.
>If you have concerns about application level proxies in general or our
>solution specifically, then please raise them on this list rather than
>emailing me directly so that we can all participate in the discussion.
I think there's (likely) nothing wrong with your proxy; but people
need to realize that running a proxied mosaic is scarcely safer than
running without a firewall.
/===========================================================================\
|John (Francis) Stracke | My opinions are my own.| The cheapest, fastest, |
|InSoft, Inc. |========================/ and most reliable |
|Mechanicsburg, PA | components of a computer system are those that |
|francis @
insoft .
com | aren't there.--Gordon Bell |
\===========================================================================/
Follow-Ups:
References:
|
|
