Re: Flawed workaround in MS02-027 -- gopher can run on _any_ port, not just 70

From: Mikael Olsson (mikael.olssonat_private)
Date: Fri Jun 14 2002 - 00:11:24 PDT

Next message: Dave Palumbo: "XSS in CiscoSecure ACS v3.0"

Previous message: § o m e 1: "Mewsoft Auction, PHP Classifieds and eFax.com - CrossSiteScripting issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jim Paris wrote:
> 
> Have you actually tried this?

I believe the question is: have _you_ actually tried this?

> On all versions I've tried and from what I've read elsewhere on the
> Net, MSIE doesn't work at all with gopher ports other than 70.

It works just fine. That is: the _first_ connection works just fine.
What _doesn't_ work is clicking around inside a gopher site on a non-
standard port, since after the first connection, MSIE promptly forgets 
about the port number we gave it in the original URL, and connects to 
port 70.

However, all an attacker needs is that first connection. :/

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

Next message: Dave Palumbo: "XSS in CiscoSecure ACS v3.0"
Previous message: § o m e 1: "Mewsoft Auction, PHP Classifieds and eFax.com - CrossSiteScripting issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 14 2002 - 13:19:39 PDT