This advisory has been sent to: comp.security.unix INFOHAX BUGTRAQ CERT/CC Gopher Maintainers =========================================================================== [8lgm]-Advisory-4.UNIX.gopher.12-Feb-1992 PROGRAM: gopher(1) (/usr/local/bin/gopher) UMN gopher client VULNERABLE OS's: All versions are believed to have this vulnerability. DESCRIPTION: Shell access can be gained from gopher(1), even when running in secure mode. IMPACT: gopher guest accounts are not secure. REPEAT BY: This example demonstrates how to use gopher running in secure mode to gain access to sh. Please do not do this unless you have permission. Create or modify a .Links file on any public gopher server, for example: Type=8 Name=I'll give you a shell Host=;/bin/sh Port= Path= Log into the gopher account, and access the server and directory containing the modified .Links file. Select the "I'll give you a shell" item, and after quiting telnet the user has access to sh. It is also possible to create an entry that would not inform the user of a gopher client of the commands that are about to be executed. It is therefore possible to leave commands on a gopher server for unsuspecting users to execute. ADVICE: 1. Display techinical information about a link before connecting to other hosts using gopher. 2. Consider disabling guest gopher logins in the interim. FEEDBACK AND CONTACT INFORMATION: 8lgm-bugs@bagpuss.demon.co.uk (To report security flaws) 8lgm-request@bagpuss.demon.co.uk (Request for [8lgm] Advisories) 8lgm@bagpuss.demon.co.uk (General enquiries) System Administrators are encouraged to contact us for any other information they may require about the problems described in this advisory. We welcome reports about which platforms this flaw does or does not exist on. ===========================================================================