Date: Mon, 22 Jul 2002 22:55:26 -0500
From: John Goerzen <jgoerzen@complete.org>
To: gopher@complete.org
Subject: [gopher] FW: [Bug 71916] security problem with gopher and arbitary
 ports
Message-ID: <20020723035526.GB23369@complete.org>
Mime-Version: 1.0
Content-type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4i
Content-Transfer-Encoding: 8bit
Sender: gopher-bounce@complete.org
Errors-to: gopher-bounce@complete.org
Precedence: bulk
Reply-to: gopher@complete.org


----- Forwarded message from bugzilla-daemon@mozilla.org -----

From: bugzilla-daemon@mozilla.org
Date: Mon, 22 Jul 2002 19:00:49 -0700 (PDT)
To: jgoerzen@complete.org
Subject: [Bug 71916] security problem with gopher and arbitary ports

http://bugzilla.mozilla.org/show_bug.cgi?id=71916


------- Additional Comments From jgoerzen@complete.org  2002-07-22 19:00 -------
I'd also like to highlight some other statements made in this bug.


The original report states that this could not be a problem with HTTP or FTP because of the header.  This is not so.  Plenty of protocols could be 
made to easily ignore that header (SMTP for one, NNTP for another, with IMAP, it would actually be perfectly valid "GET LOGIN foo bar" is a login 
IMAP command).  So the original premise that this is only a Gopher problem is flawed.  Therefore, the conclusion that "gopher should be singled out" 
is equally flawed.


Mitchell Stoltz asserted that there are "infintessimally few" running on nonstandard ports.  I have shown you, in about 3 minutes of searching, over 
a million documents located on nonstandard ports in Gopherspace.


Bradley, you yourself say this is exploitable with HTTP.  Another reason that it seems weird to single-out Gopher.


Plenty of people want to run software on non-privileged ports for various reasons, including security.

----- End forwarded message -----

-- 
John Goerzen <jgoerzen@complete.org>    GPG: 0x8A1D9A1F    www.complete.org