Today onwards, we shall take a look at some less heard-of services and the threats they pose to Internet Security.
Gopher
Gopher is not as used as before, but it is still fast and efficient. Believe it or not, Gopher is fairly secure but there are some issues I would like to alert you about. One of the most popular Gopher server is the one of the University of Minnesota (found at boombox.micro.umn.edu), which is run by a lot of the Gophers available out there.
You should know that there is a bug on both Gopher and Gopher+ in all versions that were available before August of 1993, as reported in CERT Advisory CA-93:11. This bug allows hacker to obtain password files, both remotely or locally, by potentially gaining unrestricted access to the account running the public access client and reading any file accessible to this account. This includes the /etc/passwd and other sensitive files.
If you want to review this bug, you can check it at the Defense Data Network Bulletin 9315, which can be viewed at the URL HTTP://www.arc.com/database/security_bul...
You should be alert about Gophers proxying an FTP session. Even if access is restricted to an FTP directory on your server, the Gopher can be used to perform a bounce attack. Thus, be careful when protecting an FTP server behind a firewall. If the Gopher server is not protected, a hacker can use it to trespass the firewall.
Another vulnerability, reported by NASA Automated Systems Incident Response Capability (NASIRC), indicates a failure in the gopher servers gpopher1.1 (Gopher) and gopher2.012 (Gopher+) internal access controls, which can allow files in directories above the gopher data directory, such as the password file, to be read if the gopherd does not run chroot. This vulnerability only affects servers that are started with the option "-c". Without this option, gopherd runs chroot and access to files above the gopher-data directory is disabled.
finger
Finger is a program that tells you whether someone is logged on to a particular local or remote computer. Through finger you might be able to learn the full name, terminal location, last time logged in, and other information about an user logged onto a particular host, depending on the data that is maintained about users on that computer. Finger originated as part of BSD UNIX.
To finger another Internet user, you need to have the finger program on your computer or you can go to a finger gateway on the Web and enter the name of the user. The user's computer must be set up to handle finger requests. A
Go To Page: 1 2
