From iacovou@phish.micro.umn.edu Wed Aug 28 09:34:26 1996 Received: from phish.micro.umn.edu (phish.micro.umn.edu [134.84.134.52]) by suburbia.net (8.7.4/Proff-950810) with SMTP id JAA09681 for ; Wed, 28 Aug 1996 09:34:22 +1000 Received: (from iacovou@localhost) by phish.micro.umn.edu (8.6.9/8.6.6) id SAA14745; Tue, 27 Aug 1996 18:34:01 -0500 From: Neophytos Iacovou Message-Id: <199608272334.SAA14745@phish.micro.umn.edu> Subject: Re: BoS: Potential Gopher Exploit To: bwc0003@jove.acs.unt.edu (Benjamin Wayne Camp) Date: Tue, 27 Aug 1996 18:34:01 -0500 (CDT) Cc: best-of-security@suburbia.net, benc@geocel.com In-Reply-To: from "Benjamin Wayne Camp" at Aug 27, 96 04:15:06 pm Reply-To: iacovou@boombox.micro.umn.edu X-Favorite-Rooster: Foghorn Leghorn X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Benjamin Wayne Camp writes: > > Problem: > If you send "ftp:ftp.site.com@/" as your requested document, the gopher > server logs on to the ftp site anonymously and acts as a proxy. You can > do this with all the gopher servers I've tried. This is no secret or > magic trick, it seems as though alot of gophers link into FTP servers. > I've just never head anyone talking about this, and it appears to be a > hugely widespread problem. I doubt gopher's logging facilities are up to > par anyway. That makes your ftp a hell of alot more anonymous. > > Summary: > Don't run GopherD on your firewall. This is probably a configuration > issue, but since i'm not aa gopher monger I wouldn't know. I am not sure of other Gopher servers but in the case of the UofMn gopherd is seems this behavior does not exist in versions 2.1 pl4 and higher (as an aside during 2.2 pl0 the ftp gateway was re-written). It is possible that it is fixed in one of these versions as well: 2.1 pl1, 2.1 pl2, 2.1 pl3 (but I don't have these running). I don't have a server around with the reported behavior so I can not verify what the logs report but I bet it does show the retrieved item as well as the date/time/host the connection originated from. I would suggest upgrading the server to at least 2.2 pl0 (if not 2.3) BTW: Benjamin, thanks for pointing this out. -------------------------------------------------------------------------------- Neophytos Iacovou Distributed Computing Services University of Minnesota 100 Union St. SE email: iacovou@boombox.micro.umn.edu Minneapolis, MN 55455 USA