Date: Fri, 11 Sep 1998 18:17:30 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: Steve Reid <sreid@alpha.sea-to-sky.net> Cc: "Jordan K. Hubbard" <jkh@time.cdrom.com>, security@FreeBSD.ORG Subject: Re: cat exploit Message-ID: <Pine.BSF.3.96.980911181310.3574U-100000@fledge.watson.org> In-Reply-To: <Pine.LNX.3.95.iB1.0.980911122720.9437B-100000@alpha.sea-to-sky.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 11 Sep 1998, Steve Reid wrote: > On Thu, 10 Sep 1998, Jordan K. Hubbard wrote: > > Again, what I actually said was "don't blindly cat it to your screen" > > which is a perfectly valid point. If you want something which > > protects you, use more or less as many others have suggested. > > Are ftp, telnet, rlogin, rsh, and ssh safe? What about pine, elm, mutt, > mh, biff, etc? > > Does every program that displays data from an untrusted system have the > necessary protections against terminal bombs? Yes. And I think you'll find that most of these programs already do provide this service. Certainly tools like 'biff' have long since been fixed against this. Consider this to be a denial of service attack -- that is, there is a desire to have terminal-based services, and there is a desire to prevent them from being abused. Some services have long since been removed (like the ability to configure key bindings). Others have immediate uses -- mouse support, changing the title of your xterm, the ability to discover terminal type without asking the user every time they log in or start a terminal. Live without terminal interaction between the terminal and the interactive terminal program isn't all that much fun. I like that programs can retrieve the size of the current xterm, or take advantage of mouse buttons. However, to address these issues, it sounds like someone should submit a patch to the X consortium and to XFree86 adding a new xterm option to disable this. I use more, and rely on my set of applications to provide filtering, so I am not a prime candidate here. Keep in mind also that this option should not be the default, as it breaks existing functionality that is not, by itself, insecure. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980911181310.3574U-100000>