Received: with ECARTIS (v1.0.0; list gopher);
 Mon, 22 Jul 2002 23:11:35 -0500 (EST)
Return-Path: <aangel@myrealbox.com>
Delivered-To: gopher@complete.org
Received: from smtp-send.myrealbox.com (smtp-send.myrealbox.com
 [192.108.102.143])
	(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
	(Client CN "*.myrealbox.com", Issuer "Thawte Server CA" (not verified))
	by pi.glockenspiel.complete.org (Postfix) with ESMTP id E51383B81F
	for <gopher@complete.org>; Mon, 22 Jul 2002 23:11:34 -0500 (EST)
Received: from transa.aquarius.null aangel@smtp-send.myrealbox.com
 [24.171.111.62]
	by smtp-send.myrealbox.com with NetMail SMTP Agent $Revision:   3.9  $ on
 Novell NetWare
	via secured & encrypted transport (TLS);
	Mon, 22 Jul 2002 22:11:30 -0600
Subject: [gopher] Re: [Bug 71916] security problem with gopher and
	arbitary ports
From: "Aaron J. Angel" <aangel@myrealbox.com>
To: gopher@complete.org
In-Reply-To: <20020723035709.GC23369@complete.org>
References: <200207222335.g6MNZvl09279@mothra.mozilla.org>
	<20020723010900.GA27682@complete.org>
	<1027387505.16207.19.camel@transa.aquarius.null>
	<20020723035709.GC23369@complete.org>
Content-type: text/plain
Content-Transfer-Encoding: 8bit
X-Mailer: Ximian Evolution 1.0.5 
Date: 22 Jul 2002 23:11:07 -0500
Message-Id: <1027397468.16207.31.camel@transa.aquarius.null>
Mime-Version: 1.0
X-archive-position: 669
X-ecartis-version: Ecartis v1.0.0
Sender: gopher-bounce@complete.org
Errors-to: gopher-bounce@complete.org
X-original-sender: aangel@myrealbox.com
Precedence: bulk
Reply-to: gopher@complete.org
List-help: <mailto:ecartis@complete.org?Subject=help>
List-unsubscribe: <mailto:gopher-request@complete.org?Subject=unsubscribe>
List-software: Ecartis version 1.0.0
List-ID: Gopher <gopher.complete.org>
X-List-ID: Gopher <gopher.complete.org>
List-subscribe: <mailto:gopher-request@complete.org?Subject=subscribe>
List-owner: <mailto:jgoerzen@complete.org>
List-post: <mailto:gopher@complete.org>
List-archive: <http://www.complete.org/mailinglists/archives/>
X-list: gopher


> I think you may have missed some of the sarcasm and rhetorical questions in
> my message, so I'll just omit replies to those...

I was agreeing with you, with more rhetorical banter.  (-:

> > The point was Gopher URLs and (ab)using the Gopher protocol can be used
> > to simulate virtually any protocol, including SMTP (read down a little
> > further on the comments, there's an example with SMTP).
> 
> It's pretty trivial to do that with IMAP too, since "GET " forms the
> beginning of any IMAP command.

That's my point, but this is all done with a Gopher URL:

	gopher://imap.server.tld/LOGIN%20user%password%0A%0D...

The argument for this bug, however, is that the following could be used:

	gopher://imap.server.tld/...buffer overflow attack...