You bring up a interesting point, one that addresses the issue that a policy
is the first step in addressing a firewall solution. You have to advise
your customers of the age-old tenant that you should never take candy from
strangers :-) . I just have one question; the example that you cite about
troff/nroff works for a Unix client; are there any such holes for Windows or
Macintosh clients? Most of the users at our site (and I would guess that a
majority of corporate users) use Windows and/or Macintosh clients to access
the WWW from the desktop. I am compiling some security guidelines for these
clients, but I am not sure of any blatant holes for a client running under
the above mentioned operating systems. If you, or anyone else for that
matter, could let me know if you found any, I would greatly appreciate it.
To: Brad - Walker; firewalls
Subject: Re: questions about security & WWW browsers
Date: Friday, February 17, 1995 5:37PM
At 00:17 2/14/95, Brad - Walker wrote:
>My questions concern HTML and Web browsers. Is it possible for a WWW
>server to issue HTML commands to the browsers to do things like
>delete a file, spawn a process or some other anti-social behavior (much
>like `deletefile' in Display PostScript).
>I'm in a discussion about firewalls and their limitations when it
>comes to application filtering.
I don't believe it's directly possible with HTML, but there are all sorts
of indirect possibilities. If a WWW server returns data of type
"PostScript", and your Web browser forks off a copy of Display PostScript
or GhostScript or something to deal with it, who knows what that PostScript
code can do? And what about all the other data types your Web browser
knows about, and the "display" programs for them; what are their
capabilities and vulnerabilities?
Further, can an attacker convince your users to add a new data type to
their Web browser's configuration? By offering some nifty new service
(stock prices, weather updates, dirty pictures, whatever it is that will
get peoples' attention), telling folks "hey, here's what you need to add to
your .mosaicrc file in order to use this service"? A lot of folks are
going to go for that, even if the "data type" being added is "sucker" and
the "display program" is "/bin/sh". Even if your users are a little
smarter than that, though, and won't fall for such an obvious ploy, would
they fall for something less obvious? Like somebody offering documentation
for something over the Web in nroff/troff format? And telling folks "hey,
here's an easy way to add a 'troff' data type to your .mosaicrc file, which
just runs '/usr/bin/troff' on the job and pipes the output to your screen"?
That will probably sound safe enough to most users; problem is, most users
don't realize that troff has a mechanism for doing shell escapes, so
they've just given the attacker an indirect path to their shell.
== For info about the Internet Security Firewalls Tutorial and a schedule
== of upcoming dates, please send email to Tutorial-Info @
== Brent Chapman Great Circle Associates
== Brent @
COM 1057 West Dana Street
== +1 415 962 0841 Mountain View, CA 94041