A good way to reduce risks is to avoid diffusing more informations that necessary. That's why the finger daemon, for instance, which was a cool feature 15 or 20 years ago, isn't very popular anymore. Searching in my archives, I've found this, which was posted to the WebSTAR mailing list in May 96
Request: GET/M_A_C_H_T_T_P_V_E_R_S_I_O_N
Reply from MacHTTP:
TAR, Copyright 1996 Chuck Shotton, Portions 1996 Quarterdeck Corp. and its Licensors. All rights reserved. PowerPC (CW) version
totalCon 27175, maxCon 38, listening 34, current 4, high 25, busy 0, denied 0,
timeout 14, maxMem 2100960, currMem 2051552, minMem 1962192, bytesSent 89734697, port 80, maxTimeout 240, verboseMessages false, disableLogging false, hideWindow false,
refuseConnections false, upSince 07/09/96:16:30, version 1.3(PowerPC (CW))
This wasn't logged. I.e. if you wanted to check if you could download arbitrary files with "bugs #2" (which was a real, nasty, major security bug present in probably all versions of MacHTTP until version 2.2), or play with arguments of CGI scripts, you could just check whether accesses were logged or not. I don't know any web site which publishes this kind of information. There wasn't any option to disable it.
Since documented bugs are features, undocumented features are bugs, especially when they're related to security, aren't they?
Ok, let's say it wasn't a bug. But it was still a security and privacy problem.
That's just wrong, sorry. There was at least two bugs in MacHTTP I discovered in 96, iirc:
- URL/M_A_C_H_T_T_P_V_E_R_S_I_O_N gave statistics about the server and wasn't documented (i.e. it was a back door). There was a discussion on MacHTTP mailing list, many Mac fans estimating this was a feature and not a backdoor, and finally MacHTTP was changed to provide only a version string instead of statistics.
- There was a bug in the URL parsing code which permitted to read the data fork of any file provided you knew its path. This bug existed in MacHTTP 2.2 and was fixed in 2.2.1 when I notified MacHTTP's author.
Slashdot Mirror
Maybe in the States, but not in sensible countries.
A good way to reduce risks is to avoid diffusing more informations that necessary. That's why the finger daemon, for instance, which was a cool feature 15 or 20 years ago, isn't very popular anymore. Searching in my archives, I've found this, which was posted to the WebSTAR mailing list in May 96
Request: GET /M_A_C_H_T_T_P_V_E_R_S_I_O_N
Reply from MacHTTP:
This wasn't logged. I.e. if you wanted to check if you could download arbitrary files with "bugs #2" (which was a real, nasty, major security bug present in probably all versions of MacHTTP until version 2.2), or play with arguments of CGI scripts, you could just check whether accesses were logged or not. I don't know any web site which publishes this kind of information. There wasn't any option to disable it.
Since documented bugs are features, undocumented features are bugs, especially when they're related to security, aren't they? Ok, let's say it wasn't a bug. But it was still a security and privacy problem.
That's just wrong, sorry. There was at least two bugs in MacHTTP I discovered in 96, iirc:
/M_A_C_H_T_T_P_V_E_R_S_I_O_N gave statistics about the server and wasn't documented (i.e. it was a back door). There was a discussion on MacHTTP mailing list, many Mac fans estimating this was a feature and not a backdoor, and finally MacHTTP was changed to provide only a version string instead of statistics.
- URL
- There was a bug in the URL parsing code which permitted to read the data fork of any file provided you knew its path. This bug existed in MacHTTP 2.2 and was fixed in 2.2.1 when I notified MacHTTP's author.